The cost per customer record in a data breach increased $2 over the 2008 average to $204 per customer record compromised in a data breach. The Poneman Institute, which conducts independent research on privacy, data protection and information security policy, released its fifth annual report (Available Here) declaring that the average cost per compromised customer record rose to $204. The report is sponsored by PGP Corporation.
The report is based on 45 reported data breaches in the real world, with samples ranging from 5,000 to approximately 10,000 records. Of the breaches studied, organizations paid a low of $750,000, and a high of $31 Million in connection with the breach response. The average cost to an organization from a data breach increased from to $6.65 Million to $6.75 Million from the 2008 to the 2009 (Summary) studies.
The $204 cost is further broken down: $144 relates to indirect costs, such as losses related to related customer loss and lost of prospective customers. The balance relates to direct costs incurred by organizations, an increase of $10 over the 2008 report.
The source of the data breach was related to third party errors in 42% of the cases. Only 24% of the data breaches were the cause of intentional attacks and breaches. Shockingly, 82% of the breaches studied by the Poneman Institute were of organizations that had multiple data breaches in 2009 of 1,000 records or more. But the good news for the repeat offenders is that the average cost per record is only $198 per record (versus organizations with first time data breaches spending on average $228 per record).
But those organizations that move quickly tend to experience a higher cost per record for the data response. Organizations that move quickly tend to do so in a disorganized manner with little efficiency, and spend on average $219 per record. Those organizations that have a much more organized response spend on average $196 per record.
Organizations that engage third parties to assist in the response and compliance following a data breach actually spend much less per record compromised ($170 versus $230).
In less than half of the cases studied (40%), the response management was managed by the organization’s chief information security officer.