Privacy and information management research firm Ponemon Institute, together with PGP Corporation, a global leader in enterprise data protection, today announced the results of the first annual study into the costs incurred by French organisations after experiencing a data breach. The “2009 Annual Study: French Cost of a Data Breach” report, compiled by the Ponemon Institute and sponsored by PGP Corporation, found that each lost customer record cost on average of euro 89 in 2009. The ex-post response is the main contributor to this expense (euro 31), followed jointly by lost business and detection and escalation of incidents (euro 27). With no data breach notification law currently applicable in France, it is unsurprising that data breach notification accounts for only euro 4 of the average cost.
The report focuses on the cost of activities resulting from real life data loss incidents occurring in the past year. Â A total of 17 French companies and public sector organisations from 11 different industry segments participated in the research, revealing breach events of between approximately 2,500 and 57,700 personally identifiable information records. Â These breaches cost between euro 400k and euro 6.4 million to manage, with an average cost of euro 1.9 million.
One of the most striking findings of the 2009 study is the significant difference in costs incurred in the various sectors, particularly in the public versus private sector. Â While the public sector faced average costs of euro 31 per lost record, the cost increased to as much as euro 147 per record in the pharmaceutical industry and euro 140 in the financial industry. These were also the industries that experienced the highest level of customer turnover due to diminished customer confidence and trust, a factor which had no impact on the public sector.
“This first annual study shows that French commercial organisations in particular are being hit hard by the financial impact of data breaches,” said Dr. Larry Ponemon, chairman and founder of The Ponemon Institute. Â “Should the new data breach notification bill that has just been passed by the French Senate be adopted by the National Assembly, the costs associated with handling incidents will surely increase. As this is the first year we have completed the study in France and indeed the first time most of the organisations interviewed have actually calculated the financial ramifications of losing data, it will be interesting to revisit the question in a year’s time and see where and how improvements have been made.”
Factors impacting data breach costs
The 2009 study shows that malicious attacks and botnets are one of the primary drivers of data breaches and cost substantially more than those caused by human negligence or IT system vulnerabilities. The cost per record compromised in a data breach involving a malicious or criminal act averaged euro 138, while breaches from negligence and systems failures had an average per-record cost of euro 85 and euro 77 respectively. These findings suggest that organisations must start protecting themselves more proactively from increasingly aggressive malicious outsiders as a reactive remediation strategy is much more expensive.
Fifty-nine percent of all cases in this year’s study involved organisations that had their first breach. The cost of a data breach for organisations that had their first breach was euro 99 versus euro 75 for organisations that had previous incidents. This may be attributed to the fact that an organization dealing with a breach for the first time does not have the experience necessary to deal with the incident in a knowledgeable and efficient manner.
Third-party errors also cost organisations greatly. Forty-one percent of all cases in this year’s study involved third-party mistakes. Data breaches involving outsourced data to third parties, especially when the third party is offshore, are particularly expensive. The cost per compromised record for data breaches involving third parties was euro 130 versus euro 60 if the breach did not involve a third-party. This is primarily due to additional investigation, forensics and consulting fees.
Finally, 35 percent of all cases in this year’s study involved lost or stolen laptop computers or other mobile data-bearing devices. Data breaches involving these devices cost organisations euro 122 per compromised record, euro 51 (72 percent) more compared to euro 71 if the reach did not involve such items.
Post data breach responses
The organisations participating in the research identified encryption and strengthened perimeter controls as the top two technology responses following a data breach with 25 percent and 21 percent respectively. However, the most popular preventative measures taken were additional manual procedures and controls (53 percent) and training and awareness programs (46 percent).  The least popular solutions were endpoint security solutions (8 percent) and security event management systems (5 percent).  This suggests reluctance on the part of French organisations to invest in technology solutions and adopt a holistic approach to protecting their data.
“With the growing popularity of IT models such as cloud computing and remote working, data has never been more vulnerable if it is not protected properly,” said Phillip Dunkelberger, president and CEO of PGP Corporation. “By ensuring that the correct technology, policies and procedures have been implemented from the outset, companies can avoid the financially disastrous impact of a data breach and invest instead in projects that will help grow their business and profits.”
A copy of the study, including a full breakdown of the various direct and indirect costs impacting organisations, is available from PGP Corporation at: www.encryptionreports.com.
Source: PR Newswire