Those are some of the conclusions from a 17-page report, the "2006 Cost of Data Breach Study," released Monday by the Ponemon Institute LLC, an Elk Rapids, Mich.-based firm that looks at information and privacy management practices in business and government.
"It turns out that a major cost... [is] lost business opportunities" when customers no longer trust companies they have worked with and seek out new business relationships, said Larry Ponemon, founder and chairman of the Ponemon Institute and an occasional Computerworld columnist. Given the recent spate of corporate data breaches involving lost laptops, stolen computers and hacked networks, Ponemon said he expected people to become desensitized to the problem -- and complacent.
That isn't what his research showed.
"They're not numb and they do care and they're leaving" business relationships with companies that don't adequately protect their personal information, he said.
The study, which was sponsored by security software vendors PGP Corp. in Palo Alto, Calif., and San Francisco-based Vontu, is based on surveys of 31 companies that had known data breaches earlier this year. This was the second year for the study, which last year focused on 14 companies that suffered data breaches.
The data breaches this year cost the affected companies an average of US$182 per customer, compared to $138 per customer in the 2005 study -- an increase of 31 percent, according to the report. About three-quarters of the costs paid for phone calls to notify customers of a breach, the free or discounted services to compensate for data losses and for the losses incurred when customers took their business elsewhere.
The cost of the breaches to the companies ranged from $226,000 to more than $22 million, with an average cost of $4.7 million, according to the report.
The study found that customers don't like it when personal information is passed on to third-party vendors for processing or storage without their knowledge, Ponemon said. "That's what we find. They have a trusted relationship" with the original company, which they chose to do business with, he said. "They will forgive once, but say, 'Don't let it happen again,' compared to [asking] 'Why does this third-party vendor have my information?'"
The latest study also found that companies that have had data breaches are doing a better job learning from the past incidents about how to bolster breach detection systems and head off future breaches, he said. "Last year in the detection category [of the study], a lot of companies weren't doing great forensics on how to prevent breaches in the future. A lot of companies are now doing better because they're analyzing [processes and information] to prevent it from happening again."
The study found that 72 percent of the breaches occurred because the digital information was not protected properly, while 14 percent occurred because of malicious or insider attacks. About 94 percent of the companies took some kind of preventative action in response to the incidents, the study said.
The breaches that were studied affected between 2,500 and more than 160,000 customers. Lost or stolen laptops, desktop computers, PDAs or thumb drives accounted for 45 percent, or 14 of the events. Lost or stolen files acquired or used by third-parties or outsourcers accounted for 29 percent of the breaches, or 9 events. Lost or stolen backup tapes or other media accounted for 26 percent of the incidents, or 8 events. And there were four incidents involving lost or stolen paper records, which made up 13 percent of the breaches.
The companies participating in the study included a software vendor, several banks, a credit card services company, a catalog retailer, a hotel business, a retail pharmaceutical company, an airline, a mortgage company, a utility company and an educational institution. They were not named.