NEWS
Data breaches cost businesses nearly £50 for each customer record lost, with one UK company revealing the cost of a recent data breach hit £3.8m.
Research sponsored by PGP and Symantec examined the costs incurred by 21 UK businesses after they experienced a data breach.
The breaches included in the survey ranged from less than 2,500 records to more than 125,000 records, and the average costs of a data breach reached £47 for every record compromised. Costs for financial services firms were higher, which the report said reflected that customers of these organisations have high expectations of trust and privacy - so banks have more to lose from a data breach.
silicon.com's Full Disclosure campaign - what we are asking for...
silicon.com wants the government to review its data protection legislation and improve the reporting of information security breaches in the public and private sectors.
We are calling for greater public debate and for the government to consider legislation that would require organisations that suffer information security breaches to alert their customers if there is a chance the breach has put individuals' sensitive personal data at risk.
We want to hear your views about this campaign and the issues it raises. Make your voice heard by leaving a Reader Comment below or emailing us at editorial@silicon.com.
The average total cost per company was more than £1.4m per breach and ranged from £84,000 to almost £3.8m. The cost of lost business was the most significant component of data breach costs, averaging more than £496,000, or £17 per record compromised - 36 per cent of the costs in the study.
Because companies are not legally required to notify individuals affected by a data breach, notification costs averaged only £1 per record, while detection and other activities following a breach both cost £15 per record.
Around a third of the data breaches in the sample were due to lost or stolen laptops or other devices such as USB flash drives.
Breaches by third-party organisations such as outsourcers, contractors and business partners were reported by 38 per cent of respondents, and these breaches were also more expensive than breaches by the organisation itself, averaging £59 per record compared to £42 per record.
Dealing with the security breach and notifying the affected customers is less expensive than the blow to a company's confidence and the customer churn, said PGP president and CEO Phil Dunkelberger. "People vote with their feet and move their bank accounts of habits for shopping," he said.
A number of countries - and US states - have put in place legislation aimed at making organisations protect their customers' data more carefully. And silicon.com's Full Disclosure campaign has been calling for a rethink of the UK's data protection laws to make it clearer to companies how they should act when faced with a data breach.
Dunkelberger said the network of different laws around the globe is becoming a headache for large organisations. He said: "The big companies are the companies most affected because they have to be compliant in Japan, in the UK and in the US in 40 different ways so the cost of compliance globally is rising."
He added: "The real starting point is how do we help businesses apply this globally? Then it's very easy for them to drive this down in their supply chain."
Dunkelberger said there should be 'safe harbours' such as there are in the Californian data breaches law, where companies that have taken adequate measures (such as encrypting data) are not punished for losing data. He also said these laws should cover government as well as the private sector. He said: "We're remiss in calling for stronger sanctions if we don't offer companies 'outs' like safe harbours - and get the governments involved too."
Comments
There is 1 comment. Join the discussion
1. Bart Patrick, SAS UK
Symantec’s research serves to highlight the costly impact of negligence in managing customer information, plus the increased risks of fraud and identity theft associated with this type of carelessness. However, these risks should not be the only concerns for organisations when dealing with customer data. It is the reputational risks which create the most costly, long term damage; with loss of data imbedding a persistent negative customer opinion of the company affected. Too often we are seeing customer data being mistreated by organisations which are storing and using the same customer data in multiple databases, creating the conditions where one department is not only unaware of what another is doing with that data, but also ignorant of how it this being shared with third parties. Inattention to operational risk is coming home to roost in companies with poor operational risk systems and processes – and the consumer is the one which suffers.
Organisations need to develop a culture that understands the value of customer information and create a more robust, secure strategy to ensure safer data sharing with third parties.