Data Breach Costs Top $200 Per Customer Record 54
alphadogg writes "The cost of a data breach increased last year to $204 per compromised customer record, according to the Ponemon Institute's annual study. The average total cost of a data breach rose from $6.65 million in 2008 to $6.75 million in 2009. The Ponemon Institute based its estimates on data from 45 companies that publicly acknowledged a breach of sensitive customer data last year and were willing to discuss it. In tallying the cost of a data breach, the Ponemon Institute looks at several factors, including: the cost of lost business because of an incident; legal fees; disclosure expenses related to customer contact and public response; consulting help; and remediation expenses such as technology and training."
"The Ponemon Institute" (Score:5, Insightful)
Re: (Score:2, Funny)
"I got to buy it, I got to buy it, Chinpoko-MON [wikipedia.org]"
Also (Score:5, Insightful)
A related question is: how much does it cost to prevent. Managers will ask.
Re: (Score:2)
Unfortunately I think he's being honest, granted we would love to require that but its not going to happen.
Re: (Score:2)
Security isn't about how hardened your OS is, although it is a crucial ingredient (if you have bad apples, a chef can't make a good apple pie no matter how good. However, a bad chef can take perfectly good fruit and make something horrid.)
What is lacking in a lot of companies is an actual security policy. Encryption is the easy stuff. Making sure there is a department-wide policy, making sure users adhere to it, and keeping some type of mechanism in place for recovery if an employee leaves is what is tou
Re: (Score:2)
I might be talking out the wazoo, but if you added Lighttpd and got them in core you have a BSD compatible stack righty there yes sir! Possibly, an email server next?
Re: (Score:2)
....and having a competent human watch over everything and set the security policies.
Ha!
Re: (Score:2)
Based on probability of a breach: too much. If your chance of a breach is low (say, in the 1% per year range), that's only $2 per account compromised, or a cost of $600k per year. And great security only reduces the chance - it does not eliminate it.
There's also the lion attack argument: you only have to run faster than the slowest person being chased. Now, in this case, that might be the bottom 10%, but the goal is to be just enough better than the softest targets that you are unlikely to get hit. If you a
Re: (Score:1)
This is really the great thing about distributions like OpenBSD, Engarde Linux, Openwall, and other FOSS secure systems. They just don't buy into that shit. Oh and thank the US government for also giving a rats ass and providing us with SELinux too.
Re: (Score:2)
Your comment has absolutely nothing whatsoever with what I just said. Nothing, I was just thanking the people that give a shit.
Re: (Score:2)
The cost to a single customer from a data breach could easily be in the tens of thousands of dollars. I bet that would wake these people up.
Re: (Score:2)
Less than the encryption solution we've been lusting for. Most of the notification laws are written such that if you've encrypted you don't have to tell anyone about the breach.
Re: (Score:2)
A new car built by my company leaves somewhere traveling at 60 mph. The rear differential locks up. The car crashes and burns with everyone trapped inside. Now, should we initiate a recall? Take the number of vehicles in the field, A, multiply by the probable rate of failure, B, multiply by the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of a recall, we don't do one.
Seemed applicable
Re: (Score:1)
Except that's what Ford did with the Pinto, and once those documents were shown to the jury, the penalty award was set a lot higher. Thus those calculations don't work.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Another related question: how much does it cost the average individual whose data has been compromised? That would allow us to tell if the $200 cost is out of line with the results.
It's not going to be easy to determine, of course. Probably most people don't suffer significantly from a compromise, but some people lose a lot of money, have to spend a lot of personal time trying to clean things up, and suffer great stress, which isn't going to be easy to monetize. Moreover, not everybody who loses mone
$204 ... $20,400 -- wouldn't matter. (Score:4, Interesting)
The cost of a data breach increased last year to $204 per compromised customer record...
Insurance covers most companies. Because of this, it has gone from being a threat that must be addressed to a cost of doing business. The only thing a business is concerned about is revealing the breach to the public because it could harm its reputation. Everything else can be mopped up in the insurance and legal departments. The costs of a data breach are thus passed on in aggregate to not just the company's customers, but to every business that purchases insurance from that insurance vendor. And given the lack of diversity in the insurance market (ie, most of the market is controlled by only a few businesses) -- more than likely, that's a lot of businesses.
And that's how businesses manage risk -- and pass the costs on to you. And the problem will therefore never go away, because it's been put inside an SEP Field (Somebody Else's Problem), the most powerful repulsive force in the universe.
Re: (Score:1)
Re: (Score:1)
I think you got enough capital letters in there, but can you add more exclamation points to your post please? My doctor says if I don't get enough each day I may start to believe what people say on the internet, and then I have to get a referral to a psychiatrist. Also, begging to differ with you -- but money does grow on trees if you make your standard currency the leaf. Our great, great ancestors used that currency for a short time. But then a crazy man chasing a chesterfield sofa across prehistoric field
Re:$204 ... $20,400 -- wouldn't matter. (Score:4, Insightful)
The cost of a data breach increased last year to $204 per compromised customer record...
Insurance covers most companies. Because of this, it has gone from being a threat that must be addressed to a cost of doing business. .
The thing is, the companies that provide that insurance want to make a profit. That means that they charge less to those companies that takes steps to minimize their risk. That means that it costs the company to be vulnerable, even if nobody hacks their system. SO, if a company does not mitigate its risk of a data breach and its competitor does, it is at a competitive disadvantage.
Re: (Score:1)
The thing is, the companies that provide that insurance want to make a profit. That means that they charge less to those companies that takes steps to minimize their risk. That means that it costs the company to be vulnerable, even if nobody hacks their system. SO, if a company does not mitigate its risk of a data breach and its competitor does, it is at a competitive disadvantage.
That's an oversimplification. Most insurance companies release guidelines that you have to comply with to get certain rates. For example, your auto insurance may be lower because you have a car alarm on it. That doesn't mean the car alarm works, or was from a reputable vendor, just that something on that car now meets the definition of "car alarm". Lots of checklists like this exist in the business world -- they add the appearance of security, but do nothing to actually create security. For example, the Sar
Re: (Score:2)
The thing is, the companies that provide that insurance want to make a profit. That means that they charge less to those companies that takes steps to minimize their risk. That means that it costs the company to be vulnerable, even if nobody hacks their system. SO, if a company does not mitigate its risk of a data breach and its competitor does, it is at a competitive disadvantage.
One of my wife's friends, an insurance underwriter, once explained that underwriters are experts on applied statistics. They are like an experimentalist scientist whom doesn't know anything about the subject but is an expert at making predictions based on correlation coefficients and regression analysis. Maybe she was oversimplifying or drunk, whatever, thats just what I heard.
The relevance to the story is, that no insurance underwriter can provide an honest intelligent evaluation of data breach costs, mu
Re: (Score:2)
>
Also most businesses self insure anyway. The little ones are too fly by night and poor to afford insurance and are judgment proof anyway, and the big ones take risks that are bigger than the insurers themselves and have large enough legal and lobbying departments to be above the law. So the only companies affected are vaguely medium sized. Think, like a small restaurant chain sized company, maybe a single plant manufacturing company.
So, companies that self-insure are on the hook for the entire cost of the security breach, which re-enforces my point. Insurance does not remove the market consequences to a company not protecting its data from a data breach.
Re: (Score:2)
I checked into the savings I'd get on my house insurance if I got a house alarm. IIRC, it was about $30/year (~10% at the time). Cost of monitoring? $20+/month. So, basically, the savings on my house insurance are about 6 weeks of monitoring. I still have to fund the other 46 weeks.
So the question a business will ask is whether the cost of securing their data is more or less than the loss of insecure data, insurance rates included. I'm betting the cost of securing data will be far, far more than any i
Re: (Score:1)
Privacy costs money. It is not a value that should be pursued no matter the cost; rather, the costs should
bogus numbers (Score:3, Informative)
The vast majority of companies hide the fact that they are breached (constantly, in many cases). It costs them very little to just rebuild the hacked server, smack the admin who set root's password to 'root', and then pretend nothing happened.
Re: (Score:2)
And then if you get caught doing that you run afoul of the data breach notification laws, pay ~$204 per record and then get additional fines tagged on for trying to hide it.
Re: (Score:2)
Yeah, what kind of dumass has root's password set to 'root'? Mine is '123456'. I reserve 'root' for my regular user's password. No one will ever guess THAT.
Re: (Score:2)
Well, what I see typically isn't "root/root" but rather "tomcat/tomcat" and "mysql/mysql". The sysadmins know their shit unless they're green or foreign, these days. It's the developers/app-people who have no clue about security.
Who the heck is 'Top'??? (Score:5, Insightful)
Data Breach Costs Top $200 Per Customer Record
My first reading of the headline left me wondering what company was named 'Top' and when was their data breach.
Re: (Score:1)
They make baseball/football/whatever cards.
But yes, more to the point, it appears a monkey with bird flu banging on the keyboard while vomiting violently wrote the subject.
Re: (Score:2)
1% Rise in Data Breach Costs per Customer Record (Score:2)
The article says the costs increased by $2 since 2008. So the headline is actually referring to something that happened back before 2008.
Want more details (Score:1)
Re: (Score:2)
before I believe this. How does one spend that much per record? A bit more detail would be nice...
(Made up number) / (Another made up number) = $204
The obvious solution... (Score:1)
Data Breach Costs Top $200 Per Customer Record (Score:2)
USD$200.00
Whomever came up with the blinding revelation in Ponemon Institute's annual study didn't have to work too hard to arrive at that number. One google search and they took the rest of the day off...nice! Way to make tee time