FindLaw columnist Eric Sinrod writes regularly in this section on legal developments surrounding technology and the internet.
What has been suspected now has been confirmed - the cost of data breaches is substantial. Indeed, a report titled "2009 Annual Study: Global Cost of Data Breach" shines a very bright light on the actual cost of activities stemming from more than 100 breach incidents across multiple industry sectors, numerous organizations, and a handful of different countries. The average global total cost of each data breach in 2009 was $3.43 million, with an average cost of $142 per affected record. And here in the United States, the average total cost per breach was a staggering $6.75 million, with an average cost of $204 per affected record.
The report compiled by the Ponemon Institute and sponsored by PGP Corporation, analyzed average costs of data breaches in Australia, France, Germany, the United Kingdom and the United States. Perhaps not surprisingly, the costs were highest where data breach notification laws place requirements on organizations that experience a breach to disclose the details of breach incidents. Accordingly, the costs were the highest in the United States, where practically all states at this point have passed data breach legislation. And Germany, where similar laws were placed last year, experienced the second-highest costs. In terms of the average total costs per breach and the average cost per affected record, the numbers were as follows: Australia $1.83 million/$114; France $2.53 million/$119; Germany $3.44 million/$177; the United Kingdom $2.57 million/$98; and the United States $6.75 million/$204. As other countries pass data breach laws, associated costs likely will spike in those locations.
In a wake up call to companies, on average 44% of incurred data loss expenses related to lost business. When customers learn of data breaches, they evidently take their business elsewhere. This should encourage companies to do their very best in preventing and addressing breaches. With respect to the percentage of data loss expenses relating to lost business, the numbers come in like this: Australia 33%; France 30%; Germany 34%; the United Kingdom 46%; and the United States a whopping 66%.
The report also demonstrates that when third-party and/or criminal attacks caused breaches, costs increased due to added forensics and investigations that were launched. The report further details that when there is a strong Chief Information Security Officer (CISO) who took active responsibility for managing a breach, costs were lower across the board in all five countries that were studied.
Data security breaches plainly can affect that bottom line for an organization, no matter the country, even if the costs are higher in some countries than others. It behooves organizations to get their data houses in order on the front-end, and when a breach happens notwithstanding best preventative efforts, the breach should be managed swiftly and effectively by a strong CISO with the assistance of legal counsel skilled in this area.
- Data Security Breaches Cost Real Money (FindLaw's Technologist Blog)
- Lawsuit over Heartland Payment Systems Breach Is Dismissed (FindLaw's Decided Blog)
- It is Time To Address Data Breaches In Colleges And Universities (FindLaw's Technologist Blog)
Eric Sinrod is a partner in the San Francisco office of Duane Morris LLP (http://www.duanemorris.com) where he focuses on litigation matters of various types, including information technology and intellectual property disputes. His Web site is http://www.sinrodlaw.com and he can be reached at firstname.lastname@example.org. To receive a weekly email link to Mr. Sinrod's columns, please send an email to him with Subscribe in the Subject line. This column is prepared and published for informational purposes only and should not be construed as legal advice. The views expressed in this column are those of the author and do not necessarily reflect the views of the author's law firm or its individual partners.