A new benchmark study released by the Ponemon Institute indicates that the costs associated with data breaches in the U.S. continue to rise. The Fourth Annual U.S. Cost of Data Breach Study (“Study”) found that the average cost of a data breach has risen to $202 per customer record lost or stolen, up from $138 per customer record lost of stolen in 2005, the first year that the study was conducted. According to the Privacy Rights Clearinghouse, since 2005, more than 250 million customer records containing confidential personal information have been lost or stolen.

The Study surveyed 43 U.S. companies that experienced a breach involving the loss or theft of customer or consumer data over the past year. The surveyed companies experienced breach events involving loss or theft of 4,200 to 113,000 records. The cost of individual breach incidents ranged from a minimum of $613,000 to a maximum of $32 million, and averaged $6.65 million per company. The Study concluded that the cost of a breach is proportional to the size of a breach in terms of the number of customer/consumer records lost or stolen. 

Lost Business Largest Component of Data Breach Costs
The results of the Study suggest that companies are learning to manage costs associated with detecting and responding to data breaches, but have not yet learned how to prevent loss of business after a data breach occurs. According to the Study, the largest component of data breach costs continues to be the cost of lost business, which results from both the abnormal turnover of customers following a data breach and the diminished rate of acquisition of new customers.[1] In 2008, the lost business component comprised almost 69% of the breach costs – that percentage represents a continuing trend of lost business comprising an increasingly higher proportion of data breach costs. 

Costs of Detecting and Responding to Breach Steady

Meanwhile, the costs of detecting and reporting a breach, providing notifications after a breach, and responding to a breach (activities like credit card monitoring, communicating recommendations to customers to minimize the harm cause by a breach, or re-issuing a new card or account number), either remained flat or slightly decreased from 2007 to 2008, possibly due to companies having a more mature privacy or information security programs allowing them to detect and respond to data breaches more efficiently than a few years ago. 


Additional Study Facts:

  • Approximately 35% of all data breach incidents involved lost or stolen laptop computers or other mobile data devices, such as memory sticks.
  • More than 88% of all cases in the 2008 Study involved insider negligence.
  • Data breaches involving malicious acts are more expensive than breaches involving negligent acts, costing some $26 per customer record.
  • First-time data breaches are more expensive than subsequent breaches, costing some $243 per customer record versus $199 per customer record for companies that have experienced previous data breaches.

Knowing the potential cost of a data breach should allow companies to more accurately weigh the potential cost against the cost of putting policies, training, and other security measures such as encryption in place before any breach happens.

[1] Perhaps not surprisingly, healthcare and financial service companies that experienced data breaches have the highest rate of customer turnover. The Study surmises that such higher rates of turnover are likely due to customers having a higher expectation of protection for and privacy of their financial and healthcare records.