The cost of a data breach rose last year to $204 (£126) per customer record, according to the Ponemon Institute. The average total cost of a data breach rose from $6.65 million (£4.1 million) in 2008 to $6.75 million (£4.17million) in 2009.
Ponemon Institute based its estimates on data from 45 companies that publicly acknowledged a breach of sensitive customer data last year and were willing to discuss it.
Breach costs increased just $2 per compromised customer record, as compared to 2008 costs. However in the five years that Ponemon Institute has conducted its study, costs have increased from $138 per compromised customer record.
In tallying the cost of a data breach, Ponemon Institute looks at several factors including: the cost of lost business because of an incident; legal fees; disclosure expenses related to customer contact and public response; consulting help; and remediation expenses such as technology and training.
There appear to be three main causes for a data breach, says Dr. Larry Ponemon, chair and founder of the Institute, as indicated by the 45 companies that shared their stories for the "Fifth Annual US Cost of Data Breach Study," sponsored by PGP.
"As part of our analysis, we try to get at the root cause of the data breach," Ponemon says. "There's negligence, where people make mistakes, such as lost laptops, accounting for 40% of the data breach cases. There are system glitches, such as a third-party sending out statements they shouldn't, which was 36%. And there are malicious and criminal attacks, at 24%."
Ponemon adds that 2009 brought "more sophisticated criminal attacks that didn't show up on our radar screen" the previous year. These malicious attacks often involved botnets and were carried out for reasons of financial gain.
Overall, 42% of all cases in the Ponemon data-breach study involved third-party mistakes and flubs. In addition, more than 82% of the cases in the Ponemon study were organisations that had more than one data breach in 2009 involving the loss or theft of more than 1,000 records containing personal information. At about 40% of the companies that participated in the study, the chief information security officer (CISO) was in charge of managing the response related to the data breach.
The management skills of the CISO, or an individual in an equivalent position, seemed to help hold down the cost of a data breach: The average per capita cost of an incident was $157 per record for companies with a CISO, versus $236 for companies without one.
The magnitude of the breach events, according to the study, ranged from about 5,000 to about 101,000 lost or stolen customer records. Among the incidents reported, the most expensive data breach cost nearly $31 million to resolve, and the least expensive cost $750,000.