[ISN] Consumers punish firms over data security breaches

From: InfoSec News (isn@private)
Date: Tue Nov 15 2005 - 23:17:50 PST


http://www.theregister.co.uk/2005/11/15/data_security_breach_survey/

By John Leyden
15th November 2005

Consumer data security breaches are leading to customer revolt and an
average cost per incident of $14m, according to a brace of surveys out
this week.

One in five US consumers quizzed by Ponemon Institute [1] said they
immediately terminated their accounts with vendors that lost their
information. An additional 40 per cent polled by the organisation's
National Survey on Data Security Breach Notification considered taking
their business elsewhere after receiving notifications of information
mishandling. The survey polled 9,000 consumers, 12 per cent of whom
had received notices of information security breaches.

A parallel study conducted by Ponemon estimates an average cost of
$14m per security breach incident, with costs ranging as high as $50m.  
The survey, Lost Customer Information: What Does a Data Breach Cost
Companies?, is among the first to look at data from actual cases of
lost customer data. Covering 14 separate incidents, the research
encompasses 1.4m compromised data records and an estimated total of
$200m in resulting losses. Total cost estimates include the actual
cost of internal investigations, outside legal defense fees,
notification and call center costs, PR and investor relations efforts,
discounted services offered, lost employee productivity, and the
effect of lost customers.

Both studies show customers are punishing companies that lose their
confidential and private information. However the second corporate
study suggests a lower number of consumers take their business
elsewhere following consumer data security breaches. This study
suggests an average loss of 2.5 per cent of all customers, ranging as
high as 11 per cent, as compared to 20 per cent defection after
security screw-ups suggested by the consumer survey.

Corporations no longer have the option of hoping that US customers
will not find out about mishandled information. Currently, 21 US
states have laws requiring that customers or employees be notified
when protected personal information has been breached. A series of
high-profile consumer data security breaches involving US firms
including data mining firm ChoicePoint, payment processing firm
CardSystems Solutions and others have pushed the issue up the
political agenda.

Security firms such as PGP Corporation are cited by Ponemon as
emphasising the need for wider use of encryption technologies in
safeguarding customer data. Ponemon's studies can be downloaded from
PGP's website here [2] (registration required). ®

[1] http://www.ponemon.org/ 
[2] http://www.pgp.com/ponemon



_________________________________________
Earn your Master's degree in Information Security ONLINE
www.msia.norwich.edu/csi
Study IA management practices and the latest infosec issues.
Norwich University is an NSA Center of Excellence.



This archive was generated by hypermail 2.1.3 : Tue Nov 15 2005 - 23:42:34 PST