February 4, 2010

Study shows organizations are taking more measures to increase data security

The Ponemon Institute issued their fifth annual Cost of a Data Breach Study in January. While none of the findings are exceptionally surprising, it is heartening to see that in 2009, organizations started paying more attention to and dedicating more resources to the prevention of data breaches than ever before.

The study focused on 45 organizations in 15 industries who experienced data breaches in 2009 and volunteered to share their information for the purpose of the study. The number of records lost or compromised in each incident ranged from 5,000 to over 101,000.

Here's a snapshot of some of the data from the study:

  • The average cost of a data breach increased from $6.65 million in 2008 to $6.75 million in 2009
  • The average cost per record compromised in 2009 was $204
  • Data breaches from malevolent attacks doubled between 2008 and 2009
  • Customer turnover from a data breach accounts for the majority of the cost
  • Healthcare, pharmaceutical, communications and financial services firms are those most likely to be affected by abnormal customer turnover
  • The average cost per compromised record is higher for companies who notify victims quickly
This last bullet affects me from two standpoints. First, as a businessperson, I understand the logic put forth by the Ponemon institute that rushing to notify customers of a data breach could end up costing more because of inefficiencies during discovery, notification and restitution. It makes sense that companies who methodically study the breach, wait to see the full extent of the damage, and carefully take action steps will be able to keep costs more contained.

But as a consumer whose personal information is in the care of hundreds, maybe thousands of companies around the U.S. and globally, I want to know immediately if my personal information has been lost or compromised. And I want the offending organization to take steps to protect my information without delay. In addition, state laws and the proposed federal Data Accountability and Trust Act require data breach victims to be notified immediately or within a specific time period.

I encourage you to download the study and consider its implications for your organization. And send me your thoughts about data security and data breaches too. Even though the topic is more commonplace than ever before, new ideas and process improvements are always called for.

Share this blog post:

No comments:

Post a Comment