The cost to businesses of exposing data such as Social Security and credit-card numbers climbed 7 percent last year to an average of $7.2 million per incident, according to a study of companies that experienced breaches.
The most expensive incident cost an unidentified company $35.3 million, an increase of 15 percent from the costliest breach a year earlier, according to a report released today by Ponemon Institute LLC, an information security research group. The name of the company was withheld because of the sensitivity of the breach. The report was sponsored by Symantec Corp., the world’s largest maker of security software.
“One of the factors that’s raising the costs is the detection, forensics and upfront work to get to the bottom of the issue,” said Larry Ponemon, president of the institute, in an interview from the group’s headquarters in Traverse City, Michigan. “As more malicious attacks come online, organizations are paying more attention and are investing in their networks.”
About 85 percent of all U.S. companies have experienced one or more data breaches, Ponemon said, and the figure may be larger because many don’t have the ability to detect when information has been exposed. The potential expense of losing customers to a security breach is prompting U.S. companies to spend more on bolstering their systems, he said.
Costs of data breaches are increasing as more states pass laws requiring companies to disclose whenever customers’ personal information is exposed, Ponemon said. So far, 46 U.S. states have passed such measures, with varying definitions of a breach, deadlines for notifying customers and punishments for failing to comply.
Patchwork of Laws
“The patchwork state laws drive up significantly the cost of incident response for national corporations because the reporting requirements and data sets are different for each state,” said Eric Friedberg, a co-president at Stroz Friedberg LLC, which does forensic analysis of data breaches. “When you have to report to several state attorneys generals on the forensics side, it becomes way more complex than if there were one standard.”
The U.S. government has yet to adopt guidelines for companies to follow in the event data is exposed. The House of Representatives passed a bill in 2009 that would set a unified standard for responding to breaches and require consumer notification. A Senate version of the legislation was introduced in 2009 but has yet to advance.
Most Not Publicized
Most corporate data breaches are not publicized to avoid alarming customers. Ponemon based its study, titled “2010 U.S. Cost of a Data Breach,” on interviews with executives from 51 U.S. companies that publicly acknowledged a breach of sensitive customer data last year and were willing to talk about it. The report did not name the companies studied.
The study covered U.S. companies from 15 industry sectors, including retail, health care and financial services. In tallying data breach costs, the group looked at factors including lost business, legal fees, customer disclosure and remediation expenses such as technology and training.
Malicious attacks increased 7 percentage points in 2010 from the previous year, the study found, with the costs of such attacks jumping 48 percent, to an average of $318 per compromised record. Hostile breaches on average cost more than incidents blamed on negligence, such as lost laptops or computer system breakdowns, the report said.
The most recent high-profile data breach was the hacking of a Nasdaq OMX Group Inc. website last month. The second-largest U.S. exchange operator by market value said the breach did not impact its trading systems and didn’t expose any customer data. The Federal Bureau of Investigation, Secret Service, and U.S. lawmakers are investigating the matter.