2009 Ponemon Institute "Cost of a Data Breach" Study Released

Posted on January 29, 2010 by Natalie Newman

This past week, the Ponemon Institute announced their publication of the results of their fifth annual study on the costs of data breaches for U.S.-based companies. The study was sponsored by the PGP Corporation. A similar report for U.K.-based companies was also released. This year's report, entitled 2009 Annual Study: Cost of a Data Breach, displays the results of the Ponemon Institute's research of data breach incidents occurring in 2009.  

Overall, as with previous years, the study found that U.S. organizations continue to experience increased costs associated with the data breaches they experience.

The 2009 U.S. study surveyed 45 U.S. companies covering 15 various industry sectors, with the top represented industries including the financial, retail, services and healthcare industries. The size of the breaches experienced by companies surveyed ranged from approximately 5,000 compromised records to approximately 101,000 compromised records, with a cost range of approximately $750,000 up to nearly $31 million.

This year’s study revealed that the average per-record cost of the data breaches experienced by the surveyed organizations was in 2009 $204, which is just $2 more than the average per-record cost in 2008 (click here for the Privacy Blog’s posting on the Ponemon Institute’s 2008 Study), but represented a $66 dollar overall increase since 2005, the first year the Ponemon Institute conducted this same study, when the average per-record cost was $138.  

 

The costs of a data breach include both direct costs (such as communications costs, investigations and forensics costs and legal costs) and indirect costs (such as lost business, public relations costs and new customer acquisition costs), and the study found that some industries experience a higher customer churn rate (i.e., lost business) than others. The industries with the highest customer churn rates in 2009 were the pharmaceutical, healthcare, communications, financial services and services industries.

 

The study also revealed a variety of primary causes of data breaches experienced by the surveyed companies, including, for example, that:

  • 42% of all breaches studied involved errors made by, or compromises otherwise incurred while a company’s data is in the possession or control of, a third party. 
  • 36% of all breaches studied involved lost, misplaced or stolen laptops or other mobile computing devices. Interestingly, the study found that the per-record cost of a data breach involving a stolen laptop or mobile device was just over $224, whereas the per-record cost of a data breach not involving a stolen laptop or mobile device was only around $192.
  • 24% of all breaches studied involved some sort of criminal or other malicious attack or act (as opposed to mere negligence).
  • 82% of all breaches studied involved organizations that had experienced more than one data breach involving the compromise of more than 1,000 records containing personal information.

This study can serve as an incredibly useful tool for companies to understand the full scope of potential costs of a data breach (including both direct and indirect costs) and in performing a cost-benefit analysis of the costs of implementing pre-breach, prophylactic measures (such as policies, training, encryption of sensitive information and other security), versus the potential costs of experiencing and dealing with the aftermath of a breach that could have been avoided, or at least mitigated.
Tags: , , , , , ,

No Doubt No Reasonable Suspicion Required -- Laptops Now Fair Game at the Border

Posted on May 5, 2008 by Proskauer Rose LLP

My very first blog post addressed a precedent-setting decision of the Central District of California holding that federal agents could not conduct a border search of the private and personal information stored on a traveler’s computer hard drive or electronic storage devices without reasonable suspicion. Eighteen months later, the Ninth Circuit has squarely reversed that decision. In a short opinion filed April 21, 2008, Judge O’Scannlain wrote in U.S. v. Arnold, No. 06-50581, that "reasonable suspicion is not needed for customs officials to search a laptop or other personal electronic storage devices at the border." As far as the Ninth Circuit is concerned, for purposes of border searches under the Fourth Amendment, laptops and other electronic storage devices are not so much like a home or the human mind – they are more akin to luggage or a car.

Arnold never claimed that the government’s search of his laptop damaged it in any way, therefore not invoking the "exceptional damage to property" exception to suspicionless searches. Further, although Arnold did raise the "particularly offensive manner" exception, the court found there was nothing in the record to "indicate that the manner in which the CBP officers conducted the search was ‘particularly offensive’ in comparison with other lawful border searches." The customs officers simply asked Arnold to boot up his laptop and looked at what was there. The court failed to discern any meaningful distinction between such a search and suspicionless searches of travelers’ luggage at the border.

The court also refused to adopt Arnold’s analogy to a search of a home, noting that the Supreme Court has rejected applying Fourth Amendment protections afforded to homes to property "‘capable of functioning as a home’" simply due to its size. The Court also rejected the notion that the quality or nature of the container merited a distinction in this case. A laptop, the court reasoned, is more like a mobile home than a home or office; the Supreme Court has refused to treat a mobile home differently from other vehicles due to the fact that it is readily movable and the expectation of privacy with respect to a car is significantly less than that relating to a home or office. The court also noted that case law does not support a finding that a search is particularly offensive due to the storage capacity of the object.

Finally, the court rejected Arnold’s argument that the First Amendment requires reasonable suspicion for a border search where the risk is high that expressive material will be exposed. The court refused to create a split with the Fourth Circuit’s decision in United States v. Ickes, 393 F. 3d 501 (4th Cir. 2005). The Fourth Circuit declined to "carve out a First Amendment exception to th[e border search] doctrine because such a rule would: (1) protect terrorist communications ‘which are inherently ‘expressive’’; (2) create an unworkable standard for government agents who ‘would have to decide—on their feet—which expressive material is covered by the First Amendment'; and (3) contravene the weight of Supreme Court precedent refusing to subject government action to greater scrutiny with respect to the Fourth Amendment when an alleged First Amendment interest is also at stake."

Needless to say, the Ninth Circuit’s decision in Arnold has significant implications for anyone who travels with unencrypted confidential and/or personally identifiable information on a laptop or other electronic storage device. Companies with personnel who routinely travel with such sensitive information must reevaluate information security policies and consider measures that will protect such information from unauthorized access during international travel. It is not a given that affected entities and individuals can wipe laptops and other storage devices clean of such information prior to travel. Such procedures may create practical problems and inefficiencies, and even run afoul of legal or litigation holds requiring the preservation of data in a particular form.
Tags: , , , , , , , , , , , , , , ,