Symantec Corporation and the Ponemon Institute proudly present 2010 Annual Study: Global Cost of a Data Breach, the second annual study analyzing the cost of data breach incidents for companies in five countries: the United States, the United Kingdom, Germany, France and Australia (all converted into U.S. dollars).
This year’s study analyzes the actual data breach experiences of 154 global companies from 17 different industry sectors. The report reveals how much companies pay for each kind of data breach studied, based both on primary breach causes and organizations’ common breach response. We also discuss any changes from previous benchmark studies and what those changes mean to organizations in an evolving data protection environment.
Taken together, this year’s results suggest that data breaches remain a persistent threat with which the wide majority of companies already have an unfortunate experience. The data security threat landscape continues to worsen and data breach costs continue to rise, particularly on the low end of the scale. Organizations are responding by locking down IT systems to prevent breaches and acting proactively, quickly and competently when breaches occur. Despite these positive steps, they still face increasing challenges from their own people, equipment and outsourcing partners.
This year, multiple factors apparently confirm that regulatory compliance is surpassing data protection as the main driver of data breach companies’ data breach costs – and, in some cases, may lead companies to pay more than they would otherwise. We base our conclusion on key findings, including:
- Breach costs correspond with national data protection priorities, especially regulatory compliance
- Generally, costs are highest and rising the fastest for high-risk breach types targeted by laws and regulations and are lowest and rising the slowest, or even shrinking, for breach types not involving them
- Across the board, companies are becoming more proactive in the face of worsening data breach threats
- Lost business and/or ex-post response are increasingly becoming the main components of data breach costs in all countries surveyed
We analyzed these findings in light of a number of milestones in 2010 for global data protection and the fight against cyber attacks and data breaches. Governments took decisive steps to strengthen data privacy oversight while high-profile incidents continued to make headlines and damage lives and businesses. IT and IT security, and especially data protection, for the first time have become top headline material in the global media. The issues even helped decide national elections in Germany in 2009 and Australia in 2010. These trends reflect the intensity of IT implementation challenges, regulatory requirements and data security threats companies worldwide face today.
As a result of these pressures, and responding to public demand, all countries studied have made improving cybersecurity a national priority. Germany, the United Kingdom and Australia gave their national data privacy offices additional powers. All governments surveyed except the United Kingdom introduced legislation to improve their powers to protect sensitive data. The U.S. Congress introduced numerous bills that made further progress toward a national data breach notification law. German lawmakers introduced draft legislation designed to improve data protection for employees. Australia and France, two countries without data breach notification laws, introduced landmark draft legislation that would eventually create them.
All these discussions about data breach prevention and notification are taking place while broader economic and technological trends are making data protection – and its absence during a breach – even more relevant. The stumbling global economy has forced many companies to reduce costs and improve efficiencies, leading to increased use of outsourcers, mobile technologies and application delivery models such as cloud computing. A major side effect of moving so much data off in-house IT networks is that organizations must take more responsibility for protecting their data wherever it is, especially when that data is in third-party hands.
In conclusion, our 2010 research once again suggests that global organizations by and large take their stewardship of sensitive personal data seriously and are taking greater steps to ensure its protection from breaches by implementing data protection best practices and technologies. Despite its limitations, the research indicates that such purchases provide a positive return on investment. This insight is especially important as more organizations deploy more mobile devices and new technologies such as cloud computing and virtualization that, even as they offer tremendous functionality and cost savings, create new challenges for data protection