RealTime IT News

Study: Negligence Causes Most Data Breaches

A just-released study concludes that the cost of data breaches to businesses is rising from both internal negligence and the actions of third parties.

The overall cost of data breaches is also rising. In 2008, the overall average cost to respondents was more than $6.6 million per breach, compared to $6.3 million in 2007 and $4.7 million in 2006, the study found. Actual costs ranged from $613,000 to almost $32 million.

The fourth annual U.S. cost of data breach study conducted by the Ponemon Institute detailed the dangers. The study, which covers 2008, was funded by encryption vendor PGP. It found that 88 percent of data breaches are caused by simple negligence on the part of staff.

The Ponemon study found that the cost of lost business makes up the bulk of the cost of data breaches, and has been going up steadily. Legal fees are rising as well.

For this study, the institute looked at 43 companies of varying size in 17 industry sectors, all of which had suffered a data breach. About 84 percent of them had suffered more than one data breach. The study took into account the cost of detection, escalation and notification, and of responding to a breach after it occurred.

"In 88 percent of companies where you had events resulting in significant data loss, these were attributable to people who were incompetent or negligent or didn't understand the rules of the road," Phil Dunkelberger, PGP's CEO, told InternetNews.com.

However, the 12 percent of breaches that were caused by third parties cost the respondents more than in-house breaches, Larry Ponemon, chairman and founder of the Ponemon Institute, told InternetNews.com. Per-victim costs for third-party breaches have gone up by $52, to $243 in 2008 compared with $192 in 2007, the study found.

Danger from the outside

The number of third-party breaches is climbing - 44 percent of the respondents to the study reported a breach by outsourcers, contractors, consultants or business partners, as compared with 40 percent in 2007. The figure for 2006 was 29 percent and that for 2005 was 21 percent.

"It's not that the third party companies are bad, in fact, they sometimes do a much better job than their clients," Ponemon said. "But there are more forensic costs involved in determining what happened, the investigations are more difficult to conduct, and you may require other legal avenues than when you investigate an in-house breach."

Next page: Newbies suffer more