One of the challenges that businesses regularly face is how to balance the known costs of network, application and data protection against the unknown costs of a data breach or series of breaches. Often, business owners or IT staff are left to guess or worse, fail to acknowledge the costs and consequences of a significant breach of information.
Thanks to the Ponemon Institute, new research data is available to help provide guidance on the costs of a data breach. Some key facts from their research shows:
- 7% – the increase of data breach costs in 2010
- $214 – the average cost per individual record compromised
- $7.2 million – the average organizational cost of a data breach
Additionally, this research shows that malicious acts were the root cause of 31 percent of the data breaches studied, which is significantly up over the last two years. But, the leading cause of data breaches is negligence – a whopping 41 percent of breaches are due to negligence in protecting and safeguarding sensitive data.
What can a business glean from this? Take this recent example from the University of South Carolina where 31,000 individual’s private information, including social security numbers, was exposed online. When applying the $214 cost per record, a quick calculation shows that the University is facing a potential cost of $6.6 million.
But, obviously not all data breaches cost the same. Maybe a better example is the recent settlement made public in Massachusetts. Here, the Massachusetts Attorney General reached a $110,000 settlement with a restaurant group that allegedly failed to protect patrons’ personal information.
The Briar Group LLC, the owner and operator of the Boston-based restaurants and bars, allegedly failed to take proper steps to keep payment card information safe. In addition to civil penalties, the Briar Group must comply with state data security regulations, payment card security standards (PCI DSS), and it must establish and maintain an enhanced computer network security system going forward.
If one applies the Ponemon cost per record to the Briar Group, the $110,000 settlement would mean that the organization only lost 514 customer records. Keep in mind, the period of the breach lasted eight months. It seems unlikely that in eight months only 514 records were compromised. The actual number of compromised records is certain to be much higher.
In the spectrum of data breach costs, the $110,000 settlement appears to be on the very low end of the scale. What is not accounted for is the loss of public trust and the brand damage to the Briar Group and their restaurants and bars. It’s hard to say what those damages will be.
Bottom line: data breach costs are going up. With an average cost of $7.2 million per data breach event, the expenditures to protect networks, applications and data suddenly appear to be miniscule. As Benjamin Franklin said, “an ounce of prevention is worth a pound of cure.” Too bad that the Briar Group didn’t take that advice.