Lost customer records cost UK firms £60 each - study

The "2008 Annual Study: UK Cost of a Data Breach," undertaken by the Ponemon Institute and sponsored by PGP Corporation Research found that the average total cost per incident had risen to £1.7 million in 2008, up from last year's figure of £1.4 million. On average, each lost customer record costs firms £60, a 28% increase on 2007's figure of £47. For the second year running, lost business due to reduced consumer trust was the main contributor to overall data breach costs.

The report focuses on the cost of activities resulting from actual data loss incidents, as well as identifying the most frequent causes and likely technology responses to a data breach. The magnitude of breach events included in the survey ranged from 4,100 to more than 92,000 records compromised, from 30 UK businesses spanning ten different industry sectors.

The key findings in the report are as follows:

• The total cost of a data breach ranged from £160k to £4.8 million, with an average cost of £60 per customer record - a 28% increase on 2007's figure of £47 per record
• 53% of reported costs were due to lost business, suggesting that the UK public cares deeply about the loss or theft of their personal information
• 70% of all cases in this year's study involved insider negligence, emphasising that more needs to be done to educate staff on the importance of safeguarding information. Only 30% of incidents involved malicious acts
• 33% of data breach cases in 2008's study resulted from third-party errors. Data breaches involving outsourced data to third parties are the most costly - £67 per victim, as opposed to just £56 per victim when third parties were not involved
• Costs associated with detection, escalation, and ex-post response (i.e. communication from the customer after a breach) have decreased slightly in 2008, suggesting that businesses are improving their processesrocesses to uncover, manage and communicate data breaches

Survey respondents identified encryption and identity and access management solutions as the top two technology responses following a data breach. Control practices and training and awareness programmes were cited as the top two manual processes. This suggests that UK organisations understand that an enterprise data protection strategy that is supported and understood by all employees must be implemented to properly safeguard information.

"In just the second year of this UK study, research proves UK businesses continue to pay dearly for having a data breach," said Dr. Larry Ponemon, chairman and founder of The Ponemon Institute. "As costs only continue to rise, companies must remain on guard or face losing valuable customers in this unpredictable economy."

The study, sponsored by PGP Corporation and independently conducted by the Ponemon Institute, examines the financial consequences of data breaches involving consumers' personally identifiable information. The study uses objective methods for quantifying specific activities that result in direct, indirect and opportunity costs from the loss or theft of personal information, thus requiring notification to breach victims as required by law or policy.

"2008 saw no slow down to the stream of data breaches started in 2007 - if anything they've gotten bigger and more costly," said Phil Dunkelberger, president and CEO of PGP Corporation. "In this current climate, organisations are taking desperate measures to preserve their reputation and retain customers; this study shows they simply cannot afford to lose out to competitors as a result of poor data security."