Forgot your password?
typodupeerror
Security IT

Data Breach Costs Top $200 Per Customer Record 54

Posted by CmdrTaco
from the that-adds-up dept.
alphadogg writes "The cost of a data breach increased last year to $204 per compromised customer record, according to the Ponemon Institute's annual study. The average total cost of a data breach rose from $6.65 million in 2008 to $6.75 million in 2009. The Ponemon Institute based its estimates on data from 45 companies that publicly acknowledged a breach of sensitive customer data last year and were willing to discuss it. In tallying the cost of a data breach, the Ponemon Institute looks at several factors, including: the cost of lost business because of an incident; legal fees; disclosure expenses related to customer contact and public response; consulting help; and remediation expenses such as technology and training."
This discussion has been archived. No new comments can be posted.

Data Breach Costs Top $200 Per Customer Record

Comments Filter:
  • by Finallyjoined!!! (1158431) on Monday January 25, 2010 @02:35PM (#30893636)
    For a second there I thought I'd read "The Pokemon Institute"
    :-)
  • Also (Score:5, Insightful)

    by Tablizer (95088) on Monday January 25, 2010 @02:36PM (#30893652) Homepage Journal

    A related question is: how much does it cost to prevent. Managers will ask.
       

    • Based on probability of a breach: too much. If your chance of a breach is low (say, in the 1% per year range), that's only $2 per account compromised, or a cost of $600k per year. And great security only reduces the chance - it does not eliminate it.

      There's also the lion attack argument: you only have to run faster than the slowest person being chased. Now, in this case, that might be the bottom 10%, but the goal is to be just enough better than the softest targets that you are unlikely to get hit. If you a

      • This is really the great thing about distributions like OpenBSD, Engarde Linux, Openwall, and other FOSS secure systems. They just don't buy into that shit. Oh and thank the US government for also giving a rats ass and providing us with SELinux too.

      • They would change their tune if they also had to pay all the customer costs of a data breach, which arguably they should be compelled to do.

        The cost to a single customer from a data breach could easily be in the tens of thousands of dollars. I bet that would wake these people up.
    • by jgtg32a (1173373)

      Less than the encryption solution we've been lusting for. Most of the notification laws are written such that if you've encrypted you don't have to tell anyone about the breach.

    • A new car built by my company leaves somewhere traveling at 60 mph. The rear differential locks up. The car crashes and burns with everyone trapped inside. Now, should we initiate a recall? Take the number of vehicles in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of a recall, we don't do one.

      Seemed applicable

      • Except that's what Ford did with the Pinto, and once those documents were shown to the jury, the penalty award was set a lot higher. Thus those calculations don't work.

        • Lesson learned, "don't keep those documents anymore"
          • by MrMr (219533)
            Yep, that is what we nowadays call 'document retention policy', it essentially means you get a license to burn evidence before the trial starts.
    • Another related question: how much does it cost the average individual whose data has been compromised? That would allow us to tell if the $200 cost is out of line with the results.

      It's not going to be easy to determine, of course. Probably most people don't suffer significantly from a compromise, but some people lose a lot of money, have to spend a lot of personal time trying to clean things up, and suffer great stress, which isn't going to be easy to monetize. Moreover, not everybody who loses mone

  • by girlintraining (1395911) on Monday January 25, 2010 @02:39PM (#30893670)

    The cost of a data breach increased last year to $204 per compromised customer record...

    Insurance covers most companies. Because of this, it has gone from being a threat that must be addressed to a cost of doing business. The only thing a business is concerned about is revealing the breach to the public because it could harm its reputation. Everything else can be mopped up in the insurance and legal departments. The costs of a data breach are thus passed on in aggregate to not just the company's customers, but to every business that purchases insurance from that insurance vendor. And given the lack of diversity in the insurance market (ie, most of the market is controlled by only a few businesses) -- more than likely, that's a lot of businesses.

    And that's how businesses manage risk -- and pass the costs on to you. And the problem will therefore never go away, because it's been put inside an SEP Field (Somebody Else's Problem), the most powerful repulsive force in the universe.

    • No, this is just such horrible thinking it makes me want to throw feces at you. This sort of ridiculous thinking is the entire reason there's a HealthCare problem in America. Insurance companies MAKE PROFIT. Therefor, RISING COSTS ON INSURANCE COMPANIES MEAN RISING COSTS FOR EVERYONE. When a hospital sends a bill to a patient's insurance for $100,000, where do you think the insurance company gets the money? When a big business sends a bill for 6mil to their insurance company, guess where the money comes fro
      • I think you got enough capital letters in there, but can you add more exclamation points to your post please? My doctor says if I don't get enough each day I may start to believe what people say on the internet, and then I have to get a referral to a psychiatrist. Also, begging to differ with you -- but money does grow on trees if you make your standard currency the leaf. Our great, great ancestors used that currency for a short time. But then a crazy man chasing a chesterfield sofa across prehistoric field

    • by Attila Dimedici (1036002) on Monday January 25, 2010 @02:45PM (#30893734)

      The cost of a data breach increased last year to $204 per compromised customer record...

      Insurance covers most companies. Because of this, it has gone from being a threat that must be addressed to a cost of doing business. .

      The thing is, the companies that provide that insurance want to make a profit. That means that they charge less to those companies that takes steps to minimize their risk. That means that it costs the company to be vulnerable, even if nobody hacks their system. SO, if a company does not mitigate its risk of a data breach and its competitor does, it is at a competitive disadvantage.

      • The thing is, the companies that provide that insurance want to make a profit. That means that they charge less to those companies that takes steps to minimize their risk. That means that it costs the company to be vulnerable, even if nobody hacks their system. SO, if a company does not mitigate its risk of a data breach and its competitor does, it is at a competitive disadvantage.

        That's an oversimplification. Most insurance companies release guidelines that you have to comply with to get certain rates. For example, your auto insurance may be lower because you have a car alarm on it. That doesn't mean the car alarm works, or was from a reputable vendor, just that something on that car now meets the definition of "car alarm". Lots of checklists like this exist in the business world -- they add the appearance of security, but do nothing to actually create security. For example, the Sar

      • by vlm (69642)

        The thing is, the companies that provide that insurance want to make a profit. That means that they charge less to those companies that takes steps to minimize their risk. That means that it costs the company to be vulnerable, even if nobody hacks their system. SO, if a company does not mitigate its risk of a data breach and its competitor does, it is at a competitive disadvantage.

        One of my wife's friends, an insurance underwriter, once explained that underwriters are experts on applied statistics. They are like an experimentalist scientist whom doesn't know anything about the subject but is an expert at making predictions based on correlation coefficients and regression analysis. Maybe she was oversimplifying or drunk, whatever, thats just what I heard.

        The relevance to the story is, that no insurance underwriter can provide an honest intelligent evaluation of data breach costs, mu

        • >

          Also most businesses self insure anyway. The little ones are too fly by night and poor to afford insurance and are judgment proof anyway, and the big ones take risks that are bigger than the insurers themselves and have large enough legal and lobbying departments to be above the law. So the only companies affected are vaguely medium sized. Think, like a small restaurant chain sized company, maybe a single plant manufacturing company.

          So, companies that self-insure are on the hook for the entire cost of the security breach, which re-enforces my point. Insurance does not remove the market consequences to a company not protecting its data from a data breach.

      • by Tanktalus (794810)

        I checked into the savings I'd get on my house insurance if I got a house alarm. IIRC, it was about $30/year (~10% at the time). Cost of monitoring? $20+/month. So, basically, the savings on my house insurance are about 6 weeks of monitoring. I still have to fund the other 46 weeks.

        So the question a business will ask is whether the cost of securing their data is more or less than the loss of insecure data, insurance rates included. I'm betting the cost of securing data will be far, far more than any i

    • Nothing in this world is free. There is a cost for everything. The good thing is that we found the cost of privacy breaches. The next step is to compare them to the cost of increasing current security. If it is found that the marginal benefit of having less breaches offsets the marginal cost of increasing security, then action should be taken to follow that course of action until we reach equilibrium.
      Privacy costs money. It is not a value that should be pursued no matter the cost; rather, the costs should
  • bogus numbers (Score:3, Informative)

    by Lord Ender (156273) on Monday January 25, 2010 @02:45PM (#30893736) Homepage

    The vast majority of companies hide the fact that they are breached (constantly, in many cases). It costs them very little to just rebuild the hacked server, smack the admin who set root's password to 'root', and then pretend nothing happened.

    • by jgtg32a (1173373)

      And then if you get caught doing that you run afoul of the data breach notification laws, pay ~$204 per record and then get additional fines tagged on for trying to hide it.

    • by Tanktalus (794810)

      Yeah, what kind of dumass has root's password set to 'root'? Mine is '123456'. I reserve 'root' for my regular user's password. No one will ever guess THAT.

      • Well, what I see typically isn't "root/root" but rather "tomcat/tomcat" and "mysql/mysql". The sysadmins know their shit unless they're green or foreign, these days. It's the developers/app-people who have no clue about security.

  • by Muad'Dave (255648) on Monday January 25, 2010 @02:46PM (#30893756) Homepage

    Data Breach Costs Top $200 Per Customer Record

    My first reading of the headline left me wondering what company was named 'Top' and when was their data breach.

    • by Em Emalb (452530)

      They make baseball/football/whatever cards.

      But yes, more to the point, it appears a monkey with bird flu banging on the keyboard while vomiting violently wrote the subject.

    • Confusing, are some verbs.
  • The article says the costs increased by $2 since 2008. So the headline is actually referring to something that happened back before 2008.

  • before I believe this. How does one spend that much per record? A bit more detail would be nice...
    • by vlm (69642)

      before I believe this. How does one spend that much per record? A bit more detail would be nice...

      (Made up number) / (Another made up number) = $204

  • ...is to release more records per breach. Cost-per-record will plummet.
  • And the current value of one individual's personal data is now estimated to be worth...wait for it...

    USD$200.00

    Whomever came up with the blinding revelation in Ponemon Institute's annual study didn't have to work too hard to arrive at that number. One google search and they took the rest of the day off...nice! Way to make tee time :)

Little known fact about Middle Earth: The Hobbits had a very sophisticated computer network! It was a Tolkien Ring...

Working...