MOUNTAIN VIEW, Calif. (4/6/11)--For the fifth consecutive year, the cost of data breaches grew, with the average organizational cost of a data breach increasing to $7.2 million--an average cost of $214 per compromised record, compared to $204 in 2009, according to a new study. The 2010 Annual Study: U.S. Cost of a Data Breach, released by Symantec Corp. and the Ponemon Institute in March, also found that for the second year the need for organizations to respond quickly to breaches helped drive the costs associated with the breaches higher. Credit unions have been hit with the costs of data breaches that have occurred at other organizations. Some have even sued the companies breached to recoup the costs of replacing compromised cards. The findings that costs are rising are no surprise, but remain a reminder of the importance of protecting members' data. The study is based on data breach experiences of 51 U.S. companies from 15 industry sectors, including the finance and retail sectors. The breaches ranged from 4,200 to 105,000 compromised records. Among the key findings:
* Rapid response to data breaches costs companies 54% more per record than at companies who respond more slowly. Forty-three percent of companies notified victims within one month of discovering the breach, up seven points from 2009. In 2010, these quick responders had a per-record cost of $268, up 22% from 2009. Companies that were slower to respond paid $174 per record, down 11%. * Malicious or criminal attacks are the most expensive and are on the rise. In this year’s study, 31% of all cases involved a malicious or criminal act, up seven points from 2009. They averaged $318 per record, up 43% from 2009. * Negligence remains the most common threat. The number of breaches due to negligence edged up one point to 41%t and averaged $196 per record, up 27% from 2009. This steady trend reflects the ongoing challenge of ensuring employee and partner compliance with security policies, said Ponemon and Symantec. * Companies are more vigilant about preventing system failures. System failure dropped nine points to 27% in 2010. This trend indicates organizations may be more conscientious in ensuring their systems can prevent and mitigate breaches through new security technologies and compliance with security policies and regulations. * Data breach costs continued to rise. The average organizational cost of a data breach this year increased to $7.2 million, up 7% from $6.8 million in 2009. Total breach costs have grown every year since 2006. Data breaches in 2010 cost companies an average of $214 per compromised record, up $10 (5%) from last year. * Encryption and other technologies are gaining ground as post-breach remedies. However, training and awareness programs remain the most popular, with 63% of respondents using training and awareness programs after data breaches--down four points from 2009. Encryption is the second-most implemented preventive measure as a result of a data breach, with 61%. Both encryption and data loss prevention solutions have increased 17% since 2008.
According to Idrees Rafiq, assistant vice president of Financial and Technology’s IT Consulting, a department of Credit Unions Resources Inc. in Texas, companies experiencing large security breaches face regulatory, reputation and legal risks. “As we saw with breaches in the past--for example, Homeland--not only were there nationwide newspaper articles and genuinely 'bad' press, numerous lawsuits were filed and regulatory authorities had no choice but to get involved in the matter,” Rafiq told the Texas Credit Union League (LoneStar Leaguer
(April 5). The overall trend shows that the criticality of data protection continues to rise along with the cost. Updating security policies, software and hardware to protect data from cyber-attacks is crucial as the threat to businesses and consumers increases and becomes more visible, he said. Rafiq warned credit unions to be diligent through prudent security practices, staff education, consistently updating and changing system software and most importantly, monitoring and protection of member data. He also reminded credit unions that National Credit Union Administration, in its Rule 748, provides guidelines for information security and protection of member data. He ecommended retaining an experienced, professional third-party vendor to perform a thorough security risk assessment of the credit union’s information system and a security evaluation. Symantec recommended organizations implement the following best practices, whether or not they have suffered a data breach:
* Assess risks by identifying and classifying confidential information; * Educate employees on information protection policies and procedures, then hold them accountable; * Deploy data loss prevention technologies that enable policy compliance and enforcement. * Proactively encrypt laptops to minimize consequences of a lost device; and * Integrate information protection practices into business processes.