Study: Negligence Causes Most Data Breaches

A just-released study concludes that the cost of data breaches to businesses is rising from both internal negligence and the actions of third parties.

The overall cost of data breaches is also rising. In 2008, the overall average cost to respondents was more than $6.6 million per breach, compared to $6.3 million in 2007 and $4.7 million in 2006, the study found. Actual costs ranged from $613,000 to almost $32 million.

The fourth annual U.S. cost of data breach study conducted by the Ponemon Institute detailed the dangers. The study, which covers 2008, was funded by encryption vendor PGP. It found that 88 percent of data breaches are caused by simple negligence on the part of staff.

The Ponemon study found that the cost of lost business makes up the bulk of the cost of data breaches, and has been going up steadily. Legal fees are rising as well.

For this study, the institute looked at 43 companies of varying size in 17 industry sectors, all of which had suffered a data breach. About 84 percent of them had suffered more than one data breach. The study took into account the cost of detection, escalation and notification, and of responding to a breach after it occurred.

“In 88 percent of companies where you had events resulting in significant data loss, these were attributable to people who were incompetent or negligent or didn’t understand the rules of the road,” Phil Dunkelberger, PGP’s CEO, told

However, the 12 percent of breaches that were caused by third parties cost the respondents more than in-house breaches, Larry Ponemon, chairman and founder of the Ponemon Institute, told
Per-victim costs for third-party breaches have gone up by $52, to $243 in
2008 compared with $192 in 2007, the study found.

Danger from the outside

The number of third-party breaches is climbing – 44 percent of the respondents to the study reported a breach by outsourcers, contractors, consultants or business partners, as compared with 40 percent in 2007. The figure for 2006 was 29 percent and that for 2005 was 21 percent.

“It’s not that the third party companies are bad, in fact, they sometimes do a much better job than their clients,” Ponemon said. “But there are more forensic costs involved in determining what happened, the investigations are more difficult to conduct, and you may require other legal avenues than when you investigate an in-house breach.”

Next page: Newbies suffer more

Page 2 of 2

Newbies suffer more

Data breach costs are higher for companies hit for the first time than for those that have been hit before, the study found. Per-victim cost for a first-time data breach is $243, compared for $192 for old hands. “First timers are not prepared to deal with a breach,” Ponemon said. “Companies that had two or more breaches were better able to deal with them and were able to mitigate or reduce the cost. Pain is a pretty good teacher.”

The cost of lost business accounts for 69 percent of the cost of a data breach, the study found. It averages $4.59 million, or $139 per record compromised. This is partly due to increased customer churn, as customers take their business elsewhere. Between 2005 and 2008, the cost of customer churn grew 38 percent, or more than $64 on a per-victim basis, the study found.

Not only do angry customers vote with their feet, but they also blab, and that increases the cost of lost business. “People are willing to talk about a problem when they feel they’ve been marginalized or ignored, and that increases the amount of lost business and the cost of customer acquisition,”
Ponemon said.

Healthcare and financial companies suffered the highest customer loss, experiencing churn rates of 6.5 percent and 5.5 percent, respectively.

Experts advocate taking a risk management approach to breaches. However, most risk management specialists fail to take into account the intangible factors around breaches, such as staff training, and the cost of lost business and new customer acquisitions, PGP’s Dunkelberger said.

“You’re better off with an ounce of prevention, by implementing training and having encryption, but most risk managers don’t take these into account.”

Insider negligence can be reduced through having a strong security policy and processes and training, Gretchen Hellman, vice president of security solutions at security vendor Vormetric told

“You need more security awareness training, a strong security policy, and processes to make sure everyone has done what they should,” she said.

“Prevent where you can, monitor where you can’t, and start off with policy and procedures and checks and balances.”

News Around the Web