[ISN] Business data breaches found to be more costly than thought

From: InfoSec News (alerts@private)
Date: Tue Oct 24 2006 - 22:21:59 PDT


http://www.govexec.com/story_page.cfm?articleid=35328

By Heather Greenfield
National Journal's Technology Daily
October 23, 2006

A new study reports that data breaches may cost companies even more than 
previously thought. The Ponemon Institute released its annual study on 
the cost of data breaches and found that they cost companies on average 
$182 per compromised record.

The institute arrived at the number by analyzing incidents involving 31 
companies, all but one a Fortune 500 company. Institute Chairman Larry 
Ponemon said the companies choose to turn over their data on data 
breaches in hopes of gaining a benchmark of how they were doing.

"It shows the real cost of doing privacy wrong," Ponemon said. He said 
the costs include detecting the problem, a step that often involves 
consultants, auditors and maybe lawyers. He also looked at the cost of 
losing customers, fixing the leaks and notifying people whose records 
were compromised.

Vontu and the PGP, two security companies, helped fund the Ponemon 
study.

Ponemon said the cost of printing and mailing notices is "gigantic." He 
noted that this year's major breach at the Veterans Affairs Department 
cost $7 million just to send letters to the affected veterans, including 
him.

Then there is the cost of creating call centers for disgruntled 
customers and credit-monitoring or reporting services to help customers 
who could become identity-theft victims, which Ponemon estimates at $15 
to $30 per person.

Ponemon said his previous study involving 14 companies for 2005 showed a 
breach cost $138. He noted that the increased cost this year is 31 
percent. But he acknowledged that "a benchmark study of companies is not 
statistically rigorous."

"We think our data is good conservative estimate," he said, calling it 
conservative because the companies had better-than-average security 
procedures.

Previously, there have been few studies on the cost of data breaches. 
Gartner, a security research firm, estimated at congressional hearings 
this summer that the average cost of a data breach is $90 per person, 
whereas encrypting the records would cost $6 per person.

Gartner and companies offering security solutions complained to 
lawmakers that the technology solutions exist, but companies would not 
invest in better security unless forced to by legislation -- or if the 
cost investment was clearly worth it.

Four different bills aimed at curbing data breaches by forcing companies 
and the federal government to notify victims have languished. The Center 
for Democracy and Technology and Consumers Union are among those 
fighting against one measure, H.R. 3997, for being too weak. The bill 
would allow companies to conduct their own investigations into data 
breaches to determine if notifying victims is necessary.

The Privacy Rights Clearinghouse reports that there have been 330 
data-loss incidents affecting 93 million individual records since 
February 2005. A report released this month from the House Government 
Reform Committee also found that data loss is pervasive among federal 
agencies.

Copyright 2006 by National Journal Group Inc.


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org 



This archive was generated by hypermail 2.1.3 : Tue Oct 24 2006 - 22:33:56 PDT