Data Security Statistics

Regulation is getting more complex:  

• Currently, a total of 46 states and four territories, including the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands, have breach notification laws in place.
• New U.S. Department of Health and Human Services (HHS) guidelines require patient notification of data breaches.
• Enforcement of the Federal Trade Commission’s Red Flags Rule began December 31, 2010.

Ponemon Institute[1] (2011)

For the fifth year in a row, data breach costs have continued to rise. The average organizational cost of a data breach in 2010 increased to $7.2 million, up 7 percent from $6.8 million in 2009.

In 2010, the estimated cost of a general data breach was $214 per compromised record, up $10 (5 percent) from 2009.

• The estimated cost of a data breach caused by negligence is $196 per record, an increase of 27 percent from 2009.
• The estimated cost of a data breach caused by a third-party service provider is $302 per record, 41.1 percent more per compromised record than a general data breach.
• The estimated cost of a data breach involving lost or stolen laptop computers or other mobile data-bearing devices is $258 per record, 20.5 percent more per compromised record than a general data breach.

Organizations experiencing a first breach pay the highest breach costs. In 2010, the cost per compromised record of an organization’s first data breach averaged $326 (up $98 or 43 percent from 2009 data).

Breaches with external consulting support reduced per-record cost by 11 percent.

Ponemon found that two-thirds of surveyed organizations that experienced a breach stated that they aimed to prevent future breaches through training and awareness programs.

Organizations that responded too quickly to a breach paid significantly more per record than companies that moved more slowly. In 2010, quick responders had a per-record cost of $268, up $49 (22 percent) from $219 the year before. Companies that took longer paid $174 per record, down $22 (11 percent) from 2009.

Abnormal churn or turnover of customers after data breaches appears to be a main driver in data breach cost. The average abnormal churn rate is 4 percent. The industries with the highest 2010 churn rate remained pharmaceuticals and healthcare (both up a point to 7 percent).

The industries with the highest 2010 average per-record costs were communications ($380), financial ($353), pharmaceutical ($345), healthcare ($301), and services ($301).

Verizon RISK Team in cooperation with the United States Secret Service[2] (2010)

• Almost 50 percent  of the breaches investigated by Verizon and the Secret Service in 2009 were attributed to insiders.
• Eighty-seven percent of breached organizations had evidence of the breach in their log files and did not detect it.
• Forty-eight percent of breaches were attributed to users who intentionally abused their right to access corporate information.
• Most breaches in their sample (85 percent) were not considered “difficult” and could have been avoided without “hi-tech” or expensive measures.

Cost of a Lost Laptop[3] (2009)

• The average value of a lost laptop for entities surveyed was $49,246. The cost of a lost laptop climbed dramatically if a data breach occurred.
• Time matters: If a company discovers the lost laptop in the same day, the average cost is less than $9,000. If it takes more than one week, the average cost rises significantly to almost $116,000.
• The average full cost of a lost laptop is highest for services industries ($112,853), followed by financial services ($71,820), healthcare ($67,873), and pharmaceutical ($50,393).

[1] Source- Ponemon Institute, 2010 Annual Study: U.S. Cost of a Data Breach.
[2] Source- 2010 Data Breach Investigations Report - A study conducted by the Verizon Business RISK Team in cooperation with the United States Secret Service.
[3] Source- Ponemon Institute, The Cost of a Lost Laptop, Publication: April 22, 2009.