The Ponemon Institute, an independent research center that examines privacy, data protection, and information-security policies, yesterday reported the first decline in at least seven years of both the organizational cost of data breaches and the cost per lost or stolen record.
In the institute’s seventh annual “Cost of Data Breach Study: U.S.,” which compiled data from 49 companies in 14 industries, the average organizational cost of breaches fell to $5.5 million in 2011 from $7.2 million in 2010, while the cost per record drop backed up to $194 from $214. (The study omits breaches of more than 100,000 thousand, which it views as atypical and result-skewing.)
According to the survey, sponsored by security vendor Symantec, there’s a strong correlation between lowering the cost of data breaches and employing a chief information security officer (CISO) with responsibility for and authority over security practices, or having a third party help the company implement and govern data-security processes.
Having a CISO, or CISO equivalent, can save up to $80 per lost or stolen record, the survey says. A third party can save as much as $41. It therefore becomes fairly simple for CFOs to calculate the return on that data-security function, which also takes into account reputational impact and customer churn. “It takes money to save money,” says Ponemon Institute chairman and founder Larry Ponemon. “CISOs are expensive. Consultants are expensive. But they pay for themselves by managing projects more efficiently.”
In an environment where data breaches seem increasingly frequent, these findings may seem counterintuitive. Ponemon believes that some of the cost reductions can be explained by consumers becoming less sensitive to the loss of personally identifiable information and numb to data-breach notifications.
“We don’t have numbers, but I think people today are more concerned about the cost of fuel, health insurance, etc.,” says Ponemon. “People care about their privacy, but there’s a growing realization that a data breach doesn’t translate into identify theft. There is some empirical evidence that you’re more likely to become an identity-theft victim if there’s been a data breach, but it’s not 1:1.” Indeed, Ponemon says, the rate of customer loss or churn after a data-breach notification is declining, reducing the cost of lost business in the aftermath of a breach.
The mere concept of privacy may be evolving in the digital age. “I’m waxing philosophical here,” says Ponemon, “but maybe the world is heading toward a place where privacy isn’t the norm. Perhaps a majority of people are becoming fatalistic, believing that control over their own information is diminishing.” He also suggests that people are increasingly willing to trade that control for convenience — for example, by activating geolocation applications on their phones. Yes, your movements can be tracked; on the other hand, if you’re lost, you can call up a map and get directions.
Ponemon cautions that the cost reductions the survey reports should not lead organizations to grow complacent about data security. While the cost of lost business has declined, the cost of notification has risen due to more stringent reporting laws and regulations. “You need to do the basic blocking and tackling,” he says.
Some of those relatively low-cost basics include creating an incident response plan, preparing a standard disclosure or notification document that’s been reviewed by legal, and investigating data-breach insurance. Insurance companies, says Ponemon, are writing more affordable policies and offering self-assessment tools to help companies find gaps in their security structures.