LONDON, 2 FEBRUARY 2009 - Data breaches are costing companies more than ever as consumers shun those that have lost information, according to a new study.
Data breaches have proven to be a downside of the information age as personal and financial information face threats from hackers, careless employees and thieves.
The study is based on a survey of 43 U.S. companies that lost data in 2008, ranging from 4,200 records to 113,000 records across 17 industry sectors, according to the Ponemon Institute, which studies privacy practices at companies and government organizations.
It cost companies on average US$202 for every data record lost in 2008. That's compared with $197 in 2007, $182 in 2006 and $138 in 2005, the first year the study was conducted.
Factored into those figures are how much companies spend on detecting data losses, costs incurred notifying victims and hiring forensic experts and paying for free credit checks for affected consumers, among others.
The most costly factor, however, was loss of business. Of the $202, $139 represented the cost of lost business, up 69 percent over 2007.
"The growth in lost business costs demonstrates consumers do not take a breach of their trust and privacy lightly and have not become desensitized to the issue," the study said.
Health-care and financial-services companies that lost data suffered the worst backlash from consumers. The churn rate -- or the rate at which people change their provider -- was 6.5 percent for health care and 5.5 percent for financial services, the study found. Health-care organizations also face a higher-than-average cost per record lost, at $282.
So far about 44 U.S. states have data loss notification laws, but the laws can vary widely. For example, some companies do not have to tell customers if data is scrambled with 128-bit encryption or if the breach was stopped before information was wrongly acquired.
Last month, the Identity Theft Resource Center (ITRC) found that more than 35 million data records were breached in 2008 in the U.S., a record number. The majority of the lost data was neither encrypted nor protected by a password, the ITRC's report found.
ITRC counted 656 breaches in 2008 from a range of well-known U.S. companies and government entities. That was than 47 percent more incidents than the 446 breaches in 2007.
Information about the breaches was collected by tracking media reports and the disclosures companies are required to make by law. But the ITRC said it is likely many more than 35 million records were lost since some companies do not reveal how many records were compromised.
Sign up for Computerworld eNewsletters.