Average data breach costs overall increased in all five countries: The average organizational cost of a data breach this year increased to $4 million, up 18 percent from 2009. Actual costs varied widely by country but last year’s relative rankings remained unchanged. The United States had the most expensive average cost of $7.2 million. Germany came in second with $4.7 million. The United Kingdom and France had nearly identical average costs at $3.1 million apiece. Australia had the cheapest average cost of $2 million.
Data breaches in 2010 cost an average of $156 per compromised record, up $14 (10 percent) from 2009. The United States had the highest cost per compromised record, $214, followed by Germany at $191. The other countries had substantially lower costs – France at $136, Australia at $123 and the United Kingdom with the lowest at $114.
Breach costs correspond with national data protection priorities, especially regulatory compliance: 2010 marked the first time that regulatory compliance surpassed data breach mitigation as the main driver behind U.S. companies’ implementation of encryption technologies (and, by extension, other data protection technologies). In Britain, defending against malicious or criminal attacks and lack of internal preparedness and expertise appear to drive costs. German breach cost trends may indicate that the strengthened federal data protection law is working, while in France regulatory compliance appears to drive spending. Finally, protecting brand and reputation appears to drive spending in for Australian companies. Generally, costs are highest and rising the fastest for high-risk breach types targeted by laws and regulations and are lowest and rising the slowest, or even shrinking, for breach types not involving them:
The highest costs in 2010 belonged to breach types that reflect failure to address the most prominent and dangerous data breach causes: malicious or criminal attacks, lost or stolen devices and third-party mistakes, along with overall lack of preparedness that can lead a company to become a first-time breach victim (first-timer). The opposite was also true: companies that avoided problems and had sufficient internal expertise and preparation (CISO leadership and quick response) to meet compliance demands fared better.
Across the board, companies are becoming more proactive in the face of worsening data breach threats: The willingness for companies in Australia, France and the United States to pay more – sometimes much more – for activities such as quick response and external consulting support may indicate that organizations are spending more on expertise to shore up their compliance (and thus avoid much greater expenses). The most frequent breach attributes overall are CISO leadership, external consulting support and above-average security posture – all of which reflect proactivity on the parts of their organizations. Taken together, these figures may indicate more organizations are taking more proactive steps to thwart hostile attacks in the worsening threat environment.
Lost business and/or ex-post response are increasingly becoming the main components of data breach costs in all countries surveyed: All countries except the United States reported higher spending on lost business than last year. All countries except Australia reported higher spending on ex-post response. Notification costs stayed flat in most countries surveyed, while detection and escalation costs varied. The cost of lost business means consumers are concerned about how well organizations safeguard personal data. Compliance with data protection regulations requires organizations to do more to find, disclose and fix breach-related problems. These tasks correspond with the detection and escalation, notification and ex-post response cost activities, respectively. Strong growth in detection and escalation and/or ex-post response could reflect increased compliance activities, as those two stages often require more investment than the notification process.
Manual, policy and training-oriented options remained the most popular post-breach preventive and remediation measures in most countries surveyed: Noticeable changes, however, are that American and French companies started relying more on encryption and other technological solutions. Germany kept its traditional preference for technological solutions but, for the first time, endpoint security solutions have overtaken expanded use of encryption as the most popular measure. Even though organizations still far prefer using traditional approaches, this year’s figures may indicate companies are starting to see more value in technology that can help prevent and mitigate data breaches and meet compliance requirements.