As the number of data breaches reported annually continues to surge, the costs incurred by companies that report incidents also are increasing, according to a new study by the Ponemon Institute. In 2007, the average total cost of a breach for a company in any industry was $6.3 million, reports the security and privacy research organization, which surveyed 35 companies across all industries that experienced a data breach during the past year.
Costs ranged from $225,000 per breach to almost $35 million, and the average cost of each compromised record was $197, the Ponemon Institute says. But for firms in the highly regulated financial sector, the cost of a data breach is even higher -- rising to $239 per compromised record.
"The value of the data a financial firm has is much higher than companies in other sectors," explains John Dasher, director of product management at PGP Corp., which sponsored the survey together with Vontu. "They have personal information such as your account information and your Social Security number." As a result, financial institutions that suffer a data breach typically offer customers credit protection and change their account numbers -- which all adds to the total cost incurred by a company after a breach, Dasher notes.
Also adding to the cost of a data breach is reputational damage control, which is particularly high on the agenda for financial firms, Dasher adds. "If you’re in the financial sector, what’s more important than your brand when you’ve spent years trying to build trust with your clients?" he says. According to the study, companies in all industries reported a 3 percent rise in 2007 on public relations and communications expenses following an incident.
Meanwhile, as firms continue to outsource, the Ponemon study revealed that third-party breaches across all industries are on the rise. Breaches by contractors, consultants, outsourcers and business partners were reported by 40 percent of the companies surveyed, up from 29 percent in 2006. The study also showed that third-party breaches are more costly than those incurred by the enterprise itself, averaging $231 per compromised record.