Breach Fatigue? Cost Of A Data Breach Declines For The First Time

Call it grizzled experience from multiple breaches, but for the first time in seven years the cost of a data breach has dropped -- and by a whopping 20 percent.

The Ponemon Institute's new "2011 Cost Of Data Breach Study" for the U.S., sponsored by Symantec, found that the cost to an organization hit by a breach was $5.5 million last year, down from $7.2 million in 2010. The cost per breached record also declined last year, from $214 to $194.

"We didn't expect a decrease," says Larry Ponemon, chairman and founder of The Ponemon Institute, which surveyed and interviewed some 49 U.S. organizations that had been hit by breaches. The study excluded massive breach incidents of more than 100,000 compromised records to prevent a skewing of the data.

The drop likely has to do with experience, as organizations do a better job at responding to and defending against breaches, according to the Ponemon report, and thanks to state breach laws.

Another bit of good news: Customers are less likely to jump ship from a business or retailer that gets breached. Customer churn is down by 18 percent for the first time in the study. According to the report, the cost of loss of business dipped from $4.54 million in 2010 to $3.01 million last year, meaning customers were less likely to abandon a business hit by a data breach.

"Lost business is usually the biggest loss -- losing customers, recruiting new ones," and rebuilding reputation, Ponemon says.

But don't expect the cost of breaches to continue to drop, Ponemon says. "My gut tells me this is just a point in time: It's very likely it could go up. It's very likely a major data breach results in harm to a lot of individuals, with identity theft and medical identity theft that might drive up that churn rate," he says.

The report also revealed that certain factors can increase or decrease the cost of a data breach. An organization's first breach costs them an average of $37 more per record, and jumping the gun to notify customers can be costly: Organizations that notified customers too quickly about a breach before properly assessing it on average paid $33 more per record. "Quick response, we found, can actually drive up your costs. It's a balance between thoughtful response and a timely notification," Ponemon says.

Breaches caused by third parties or lost devices are more expensive, too: Add an average of $26 per record to the bill for third-party data breaches, and $22 for a lost laptop or other device.

Having a CISO in charge of data protection can save you money, decreasing the cost per breached record by an average of $80, and bringing in outside consultants to help in the aftermath of a breach can reduce the cost per exposed record by an average of $41 per record.

The type of breach also dictates the cost of the aftermath: A malicious attack, which accounted for 37 percent of the breaches in the study, is the priciest, at $222 per compromised record. User error or negligence was the most common, with 39 percent of the breaches, and costs about $174 per record.

And the bottom line of the study: The cost of detection and escalation dropped 6 percent, to $428,330, on average in 2011 in comparison to $455,304 in 2010. "There are two ways of reading this. One, companies are spending less resources on forensics, but I don't think that's happening here. Or a lot of companies had no clue how to respond when they found a breach before, so IR planning is making investment more efficient," Ponemon says.

Meanwhile, breach notification costs rose by 10 percent to $561,495 last year, versus $511,454 in 2010. "The reason for that, we think, is not that regulations have changed that much, but the view that the regulatory hammer is going to come down on companies who are not careful on managing their data ... notification costs increased because of the way organizations are being the most transparent" about a breach, he says.

The full Ponemon report is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.