How much could a data breach incident cost your company? Based on the results of The Ponemon Institute’s recent 2010 Annual Study: U.S. Cost of a Data Breach, breach incidents are increasing both in direct and indirect costs. The healthcare, pharmaceutical, financial and communications industries are shouldering the greatest expense per record breach. On average, companies are spending 7 percent more per data breach event since 2009, up $7.2 million from $6.8 million. The study found a positive correlation between the number of records lost and the cost of an incident.
Direct costs of data breach incidents include customer notification, investigation and legal defense costs that directly impact a company’s’ bottom line. Class action suits and government fines can be extremely costly, as recent HIPAA enforcement has shown in the Cignet Health case ($4.3 million fine). Indirect costs include lost or diminished customer trust and confidence, as well as current or future customer business lost due to unusual turnover rates. Companies often end up with increased recruitment, marketing and new customer acquisition costs.
The average cost per compromised customer record increased 5 percent from 2009 to $214. The communications industry topped the highest average per-record costs at $380. Other industry sectors with the highest average per-record costs were financial and pharmaceutical at approximately $350. Industries with the highest churn rate in 2010 also included pharmaceuticals and healthcare.
Cost Per Data Breach By Industry, 2009-2010
What is causing these data breaches? The leading cause of data breaches is negligence. Non-deliberate negligence can stem from lack of knowledge or attention when it comes to compliance regulations for IT networks and infrastructures, or improper employee training on requirements, such as PCI compliance or HIPAA compliance. Deliberate negligence, by virtue of corporate policies that knowingly keep sensitive data at risk, is decreasing as hefty financial and criminal penalties are applied. Investing in HIPAA and HITECH privacy and security safeguards is worth the time and money, as prevention is the best way to reduce breaches and unnecessary costs. Many companies are considering partnering with a PCI or HIPAA hosting provider that already has the appropriate controls and infrastructure in place with independent, third party audits that verify compliance.
The second leading cause of data breaches is malicious attacks, or any intentional and organized data theft, from both inside and outside companies. The report recommends evaluating security policies of vendors that can guarantee data protection and have the appropriate procedures and controls in place. When looking for a hosting partner, ask if they have a SAS 70 or SSAE 16 audit, or a SOC report verifying best-in-industry security practices.
How can you prevent data breaches and unexpected fines and business expenses? The report recommends companies should seek centralized management of IT security in order to provide emphasis on best practices throughout their organizations. It also suggests that audited hosting providers are better able to comply with security policies and business-partner contracts. While technology is a major contributor to security, standardized polices and procedures are also critical to compliant hosting.