New Ponemon Data Breach Study Finds Breach Costs Have Fallen

Since its first issue seven years ago, the Ponemon Institute’s annual Cost of Data Breach Study (“CDBS”) has become a must read for privacy and breach professionals. The latest CDBS study, covering the 2011 year, can be considered a bookend to Verizon’s annual Data Breach Investigations Report, which 2012 edition was likewise recently released  The two reports paint a data breach landscape that has and continues to change. The 2012 CDBS summarizes data collected in interviewing over 400 individuals from 49 participating organizations.

In the “good news” department, the CDBS – which focuses exclusively on U.S. data breaches - highlights several comforting findings. The most significant being that “[f]or the first time in seven years, both the organizational cost of data breach and the cost per lost or stolen record have declined. The organizational cost has declined from $7.2 million to $5.5 million and the cost per record has declined from $214 to $194.”

The CDBS surmises that “[t]his decline suggests that organizations represented in this study have improved their performance in both preparing for and responding to a data breach” and I’d agree. [Full Disclosure: Attorneys at the InfoLawGroup have handled numerous actual and suspected data breach investigations and responses.] At this point in time established procedures, processes and deadlines for responding to a data breach are well-understood, even though the statutory and regulatory landscape continues to shift.

The result is that established parties called upon to handle or aid in a data breach are generally experienced and have the processes down to, if not a science, at least a well-honed procedure guided by battle-tested plans. This is not to say that data breaches have become a ho-hum or blasé low-priority incident. Not at all, as anyone who’s been involved with one can testify. Data breaches are stressful, trying, but at least according to the CDBS a slightly less expensive event now than they were in previous years.

However, one caveat should be noted before you unbox the party hats. The CDBS clearly states that it does “not include organizations that had data breaches in excess of 100,000…” Why? Because the Ponemon Institute feels “they are not representative of most data breaches and including them in the study would skew the results.” Many have mixed opinions on this elision. I recommend a quick read through the entire 27-page report to draw your own conclusions.

Nevertheless, despite this lacuna other key findings in the CDBS are that:

• More customers remains loyal following a data breach
• Negligent insiders and malicious attacks are the main causes of data breach (dovetailing with Verizon’s DBIR, which first and foremost dubbed 2011 the year of “hacktivists” who caused 58% of data theft breaches in 2011)
• Lost business cost declined sharply from $4.54 million in 2010 to $3.01 million in 2011
• Certain organizational factors can reduce the overall cost of a data breach
• Specific attributes or factors of a data breach can increase the overall breach cost
• Detection and escalation costs declined in 2011 but notification costs increased

Other Notable Topics Covered in the CDBS

Cost of Data Breach Decline – So what does it mean that the cost per record in a data breach has dropped to $194 from $214? The answer is pretty squarely in what the CDBS dubs “indirect costs,” such as abnormal turnover and churn of existing and future customers, as the report places $135 of the $194/record price tag squarely in the indirect cost bucket. Last year’s average indirect cost per record tallied $141. Whether people have been inured to or fatigued by the steady “oh, look I received another data breach notification in the mail” the fact is that fewer people now respond to a data breach by jumping ship.

Perhaps more significant in the long term, however, is the CDBS’ finding that the average total “organizational” costs of a data beach have plunged 24% from 2010 to 2011 - from $7.2 million to $5.5 million. By any measure this is an eye-open drop. So what’s behind it? The CDBS identifies four key metrics driving this drop: the decrease in per capita breach cost; the average size of a data breach; the decrease in abnormal customer churn and finally a drop in the average total cost of a data breach response.

Again, however, caution is warranted before popping those champagne corks as your mileage may vary, dramatically so, depending on your specific industry given the CDBS notes per capita costs from a breach range widely depending on the specific sectoral industry segment: from a low of $89 in “media” companies to a high of from $247 to $334 for financial, pharma and communications companies. The end result is that while the “average” cost of a data breach has dropped your individual breach related costs may not follow this average – recognizing, as always, the importance of having an experienced response team on hand with proven breach investigation and response skills.

As always human nature is the driver behind the majority of breaches:  76% of data breaches were traced to either, according to the CDBS, negligence or a malicious or criminal attack. As a subgroup malicious attacks remain, as in previous years, the most costly data breach scenario (whether by outsiders or criminal insiders) with an average per capita cost of $222 – significantly above the heralded mean of $194. Correspondingly, however, breaches caused by negligence had a per capita cost that is lower than both the mean and average of $174 per capita.

Of the malicious or criminal attacks leading to breach, fully 50% were traced back to viruses, malware, worms and Trojans. Web-based and social engineering attacks leading to a breach were each 17% of the malicious or criminal attacks experienced by the 18 companies analyzed by the Ponemon Institute. I draw a somewhat different ultimate conclusion from this CDBS based on my perspective. Namely, it’s very helpful to have these percentage breakdowns in determining how to allocate preventative training and security costs, but one should never lose sight of the fact that your particular breach may not follow the aggregate percentages. In short, attempt to expect the unexpected and remain acutely aware of the fact that your breach could come from an outlier source.

Positive and Negative Attribute Influencing Data Breach Costs – Another instructive portion of the report, with proactive lessons for those facing or preparing for a data breach scenario, is the review starting on page 10 of “[s]ix positive and negative attributes can influence the cost of data breach.” Stepping through the seven years’ worth of lessons learned from its past studies the Institute gleans a passel of prominent recommendations and insights that can influence the cost of a data breach. The six attributes are:

• The company has a Chief Information Security Officer (CISO or equivalent title) with overall responsibility for enterprise data protection. The CDSB notes “forty-three percent of the companies it’s survey have centralized the management of data protection with the appointment of a C-level security professional.” Putting data security in the C-suite is a smart move any way you slice it.
• Third parties are dangerous. How much of a danger? Well, forty-one percent of organizations suffering a data breach determined it was caused by a third party. Scrutinize carefully any outsourcer, cloud provider and business partners that will be handling or have access to your data.
• Quick notification is becoming the order of the day. The CDBS states forty-one percent (that percent again) notified victims within 30 days or less. However, a quick draw on notification can be counterproductive, because as the CDBS also notes, those companies that “responded and notified customers too quickly without a thorough assessment of the data breach also paid an average of $33 more per record.” The moral? Be quick, but not too quick with your assessment of the overall data breach.
• Lost or stolen devices. A hefty thirty-nine percent of organizations suffered a data breach resulting from a lost or stolen mobile device, including laptops, smartphones, tablets and flashdrives. Mobility is great and we couldn’t effectively work without it, but recognize the hazard and be proactive.
• The home team calls in extra help. Thirty-seven percent of organizations in the study hired consultants to assist in their data breach response and remediation. Frankly, I’m surprised that figure isn’t higher, because all too often attempting to handle a data breach internally without experienced help frequently leads to wasted time, inaccurate assessment of the breach, lost productivity and improper notifications. Granted consultants and outside legal experts cost money, but they may in fact “pay for themselves” in improving the overall breach response efficiency.
• Data breaches are recurring. Unlike the myth of lightening never striking the same place twice, data breaches do hit the same target again and again. In fact the CDBS reports – which may surprise some – that “[m]ost of the organizations in this year’s study have already experienced a data breach. Only 22 percent say it is the first time.”

Final Thoughts

I highly recommend a full read of the Cost of Data Breach Study to gain a thorough understanding of the findings and methodology, as well as the limits of the findings, taking special note of the express limitations detailed on page 25. The report is easily read, understandable to IT, legal and c-level executives alike and provides a concise snapshot of the 2011 data breach landscape. Not only that, but companies that take heed of how and where data breaches have occurred in their peers are forearmed to take the necessary steps to both minimize a breach from occurring while also responding in a cost effective manner should the worst occur. As always the attorneys at the InfoLawGroup are happy to discuss any aspect of the CDBS report or your own data breach preparations or response needs with you.