Ponemon Study Finds Average Cost of Data Breach Was $3.4 million in 2009

Posted on May 3, 2010 by Gabriel M. Helmer

Last week, the Ponemon Institute and PGP Corporation released the results of their Global 2009 Annual Study on Cost of a Data Breach (.pdf) [available directly from EncryptionReports].  The highlights of the survey were announced in PGP's press release.  Ponemon surveyed companies in the U.S., UK, Germany, Australia and France and found that in 2009, the average cost of a data breach was $3.4 million.  That is $142 per customer affected by the breach. 

Unfortunately for U.S. businesses, the survey found that data security breaches In the U.S. were more expensive that in other countries, $204 per customer on average.  The survery found that the existence of breach notification laws, such as the 45 state notification laws adopted in the U.S., correspond to substantially increased costs of data breaches.

The survey's other findings include:

  • The most expensive breach remediation cost one U.S. company $31 million, while the least expensive was $750,000.
  • 35% of all breaches involved outsourced data provided to third parties, while 36% of breaches were caused by hackers.
  • Businesses that have a Chief Information Security Officer (CISO) incurred reduced costs for data breaches, 21% less on average.

 

Tags: , , , , , ,

Departing Employees Are Increasingly Stealing Company Information

Posted on March 19, 2009 by Jeff Bone

As discussed by Mike Rosen on Foley Hoag's Noncompete Blog here, and reported by the Washington Post and CNN, a recently released report by Symantec Corp. and the Ponemon Institute (which can be found here) revealed that 59% of ex-employees who leave their employment are stealing company information, and 67% of those who admitted to stealing company information also admitted that they used that information to leverage a new job.

As I posted back in early February, another recent report, this one from McAfee, concluded that the shrinking economy and growing ranks of unemployed were increasing incentives for insiders to steal confidential information.  The Ponemon report seems to bear this out.

What's troubling is that the Ponemon report found that only "15% of respondents' companies review or perform an audit of the paper and/or electronic documents employees are taking.  If they conduct a review, 45% say it was not complete and 29% say it was superficial."  According to the McAfee report, however, 68% of the senior IT decision-makers surveyed cited insider threats as the top threat to essential information.  Taking these two reports together, it appears that companies understand that their (and their customers') confidential information is vulnerable to insider threats, yet they are not taking the necessary steps to secure that information from departing employees.  In this current climate, where data breaches are expanding (both in terms of numbers and size), it is imperative for companies to adopt and implement comprehensive approaches to ensure the security of proprietary information accessible to a departing employee and to minimize the accessibility of such information.

Links:

  • The Washington Post Article "Data Theft Common by Departing Employees" can be found here.
  • The cnn.com article can be found here.
  • The Ponemon report is available for download here (requires registration). 
  • The post on the Ponemon report at the Massachusetts Noncompete Law Blog can be found here.
Tags: , , , , , ,