Business data breaches found to be more costly than thought

A new study reports that data breaches may cost companies even more than previously thought. The Ponemon Institute released its annual study on the cost of data breaches and found that they cost companies on average $182 per compromised record.

The institute arrived at the number by analyzing incidents involving 31 companies, all but one a Fortune 500 company. Institute Chairman Larry Ponemon said the companies choose to turn over their data on data breaches in hopes of gaining a benchmark of how they were doing.

"It shows the real cost of doing privacy wrong," Ponemon said. He said the costs include detecting the problem, a step that often involves consultants, auditors and maybe lawyers. He also looked at the cost of losing customers, fixing the leaks and notifying people whose records were compromised.

Vontu and the PGP, two security companies, helped fund the Ponemon study.

Ponemon said the cost of printing and mailing notices is "gigantic." He noted that this year's major breach at the Veterans Affairs Department cost $7 million just to send letters to the affected veterans, including him.

Then there is the cost of creating call centers for disgruntled customers and credit-monitoring or reporting services to help customers who could become identity-theft victims, which Ponemon estimates at $15 to $30 per person.

Ponemon said his previous study involving 14 companies for 2005 showed a breach cost $138. He noted that the increased cost this year is 31 percent. But he acknowledged that "a benchmark study of companies is not statistically rigorous."

"We think our data is good conservative estimate," he said, calling it conservative because the companies had better-than-average security procedures.

Previously, there have been few studies on the cost of data breaches. Gartner, a security research firm, estimated at congressional hearings this summer that the average cost of a data breach is $90 per person, whereas encrypting the records would cost $6 per person.

Gartner and companies offering security solutions complained to lawmakers that the technology solutions exist, but companies would not invest in better security unless forced to by legislation -- or if the cost investment was clearly worth it.

Four different bills aimed at curbing data breaches by forcing companies and the federal government to notify victims have languished. The Center for Democracy and Technology and Consumers Union are among those fighting against one measure, H.R. 3997, for being too weak. The bill would allow companies to conduct their own investigations into data breaches to determine if notifying victims is necessary.

The Privacy Rights Clearinghouse reports that there have been 330 data-loss incidents affecting 93 million individual records since February 2005. A report released this month from the House Government Reform Committee also found that data loss is pervasive among federal agencies.