Last week, the Ponemon Institute and PGP Corporation released the results of their Global 2009 Annual Study on Cost of a Data Breach (.pdf) [available directly from EncryptionReports]. The highlights of the survey were announced in PGP’s press release. Ponemon surveyed companies in the U.S., UK, Germany, Australia and France and found that in 2009, the average cost of a data breach was $3.4 million. That is $142 per customer affected by the breach.
Unfortunately for U.S. businesses, the survey found that data security breaches In the U.S. were more expensive that in other countries, $204 per customer on average. The survery found that the existence of breach notification laws, such as the 45 state notification laws adopted in the U.S., correspond to substantially increased costs of data breaches.
The survey’s other findings include:
- The most expensive breach remediation cost one U.S. company $31 million, while the least expensive was $750,000.
- 35% of all breaches involved outsourced data provided to third parties, while 36% of breaches were caused by hackers.
- Businesses that have a Chief Information Security Officer (CISO) incurred reduced costs for data breaches, 21% less on average.
Extremes in data breach costs are partly based on individual breach scope, staff size and annual revenue. Stitching together a more nuanced picture of risk input vs control factors strongly interests me. Is it possible to get de-identified tables matching these dependencies in the in the future?
Best Wishes,
Don