Data breach costs continue to rise

Too many businesses are still unaware of the potential impact of a data breach

The average cost of a data breach has risen seven per cent over the past year to £64 per lost record, or a total average of £1.68m, according to the latest annual study from encryption software vendor PGP to be published tomorrow.

The 2009 Annual Study: UK Cost of a Data Breach, carried out by information management research firm the Ponemon Institute, separated the public and private sectors for the first time.

UK public organisations faced average costs of £59 a record, according to the report, while the cost to their commercial counterparts stood at £69.

The breaches studied for the research threw up a large disparity in resulting costs - from £365,000 to £3.92m - the main contributor being lost business due to reduced consumer trust, which accounted for £29 out of the average £64 per lost record.

Phil Dunkelberger, chief executive and president of PGP, explained that, although the research did not take into account any losses resulting from punitive action by regulators after a breach, losses can nevertheless mount up from various areas.

"People may change their buying behaviour after a breach, so they want to pay by cash and not credit card, or they are unwilling to give you marketing information. Then there is customer churn and an increased cost of customer acquisition post incident," he said.

Dunkelberger added that the message about the potential impact of data breaches and how to mitigate them is still struggling to get through.

"It takes a complicated breach to make people doing business around the world to realise that their data is at risk," he said. "The whole reason for data breach laws [in the US] is that the press is doing an excellent job of finding incidents. I wonder why it's still such a mystery to people."

However, Bob Tarzey, an analyst with Quocirca, argued that companies are beginning to understand the impact of breaches.

"There is genuine concern out there, a genuine worry about the impact of a data breach on customers," he said. "A breach will happen to your organisation; it's about having the policies and technologies in place so that when it happens you can handle it."

The research also found that costs resulting from a breach can climb to as much as £81 a record when the breach resulted from third-party loss, while losses resulting from malicious attack recorded an average cost of £76 per record.

Conversely, organisations which notified customers swiftly after a breach, or those with a dedicated chief information security officer to take charge, found that their average losses were lower.

Dunkelberger warned that email servers remain a security blind spot for many organisations.

"They should be taking a holistic view, but many don't realise that the largest database they have is the mail server," he said. "So they might want to get a strategy around that, because what we're doing at the moment isn't working."