Suspect a Data Breach?
- Call the Data Breach Hotline:
1-877-300-6816 (24/7 access)
A solution for healthcare data breach response.
Regulation is getting more complex:
- Currently, a total of 46 states and four territories, including the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands, have breach notification laws in place.
- New U.S. Department of Health and Human Services (HHS) guidelines require patient notification of data breaches.
- Enforcement of the Federal Trade Commission’s Red Flags Rule began December 31, 2010.
Ponemon Institute (2011)
For the fifth year in a row, data breach costs have continued to rise. The average organizational cost of a data breach in 2010 increased to $7.2 million, up 7 percent from $6.8 million in 2009.
In 2010, the estimated cost of a general data breach was $214 per compromised record, up $10 (5 percent) from 2009.
- The estimated cost of a data breach caused by negligence is $196 per record, an increase of 27 percent from 2009.
- The estimated cost of a data breach caused by a third-party service provider is $302 per record, 41.1 percent more per compromised record than a general data breach.
- The estimated cost of a data breach involving lost or stolen laptop computers or other mobile data-bearing devices is $258 per record, 20.5 percent more per compromised record than a general data breach.
Organizations experiencing a first breach pay the highest breach costs. In 2010, the cost per compromised record of an organization’s first data breach averaged $326 (up $98 or 43 percent from 2009 data).
Breaches with external consulting support reduced per-record cost by 11 percent.
Ponemon found that two-thirds of surveyed organizations that experienced a breach stated that they aimed to prevent future breaches through training and awareness programs.
Organizations that responded too quickly to a breach paid significantly more per record than companies that moved more slowly. In 2010, quick responders had a per-record cost of $268, up $49 (22 percent) from $219 the year before. Companies that took longer paid $174 per record, down $22 (11 percent) from 2009.
Abnormal churn or turnover of customers after data breaches appears to be a main driver in data breach cost. The average abnormal churn rate is 4 percent. The industries with the highest 2010 churn rate remained pharmaceuticals and healthcare (both up a point to 7 percent).
The industries with the highest 2010 average per-record costs were communications ($380), financial ($353), pharmaceutical ($345), healthcare ($301), and services ($301).
Verizon RISK Team in cooperation with the United States Secret Service (2010)
- Almost 50 percent of the breaches investigated by Verizon and the Secret Service in 2009 were attributed to insiders.
- Eighty-seven percent of breached organizations had evidence of the breach in their log files and did not detect it.
- Forty-eight percent of breaches were attributed to users who intentionally abused their right to access corporate information.
- Most breaches in their sample (85 percent) were not considered “difficult” and could have been avoided without “hi-tech” or expensive measures.
Cost of a Lost Laptop (2009)
- The average value of a lost laptop for entities surveyed was $49,246. The cost of a lost laptop climbed dramatically if a data breach occurred.
- Time matters: If a company discovers the lost laptop in the same day, the average cost is less than $9,000. If it takes more than one week, the average cost rises significantly to almost $116,000.
- The average full cost of a lost laptop is highest for services industries ($112,853), followed by financial services ($71,820), healthcare ($67,873), and pharmaceutical ($50,393).
 Source- Ponemon Institute, 2010 Annual Study: U.S. Cost of a Data Breach.
 Source- 2010 Data Breach Investigations Report - A study conducted by the Verizon Business RISK Team in cooperation with the United States Secret Service.
 Source- Ponemon Institute, The Cost of a Lost Laptop, Publication: April 22, 2009.