BlogPrivacy Professionals Should Share the Wealth Legislating Social Privacy When Privileged Access is no longer a Privilege |
RSS Feed
RSS Feed
Global Data Breach Costs Examined for First TimeApril 28, 2010Without a doubt the Ponemon Institute’s most popular study is our Annual Cost of a Data Breach study, a case study analysis of U.S. data loss incidents of varying size and cause, affecting a representative sampling of industries. Because we examine the actual costs incurred by companies as a result of discovering and responding to a data breach, we believe our figures are an accurate measure of the potentially devastating financial impact following a data breach. As more and more states followed the model of California’s landmark notification law, SB 1386, the costs have risen steadily from a 2005 average incident cost of $4.5 million to a 2009 cost of $6.65 million.
As you might expect, every year we are asked by folks around the world, “Do you have figures for my country?” Because the regulatory regimes in Europe and elsewhere take a different approach to the classification and management of personally identifiable information, and because a data breach overseas often does not compel companies to make public disclosure of the event, our answer has been “no.”
That has changed, however, and today, for the first time, we have published our Global Cost of a Data Breach study in generous cooperation with the folks at PGP Corporation .
We’ve had the honor of discussing the results with a number of excellent and respected journalists from the likes of Networld World and Forbes, so I won’t rehash what I’ve already told those publications.
What I will point out here is that, even though the European data protection community has traditionally taken a different approach to maintaining the personal privacy of its citizens, clearly the problem of data loss is as prevalent there as it is here in the U.S. Companies from Europe and elsewhere overseas have approached us for years to help them study and understand the causes and results of information security breakdowns, and even though this is the first time we’ve issued a report on the problem, it is far from new.
The notification model is changing, however. As we note in our report, Germany adopted a notification law midway through 2009. Not so coincidentally their costs are second only to the United States. In the UK just yesterday the Information Commissioner’s Office predicted that country would have a data breach notification law within 18 months.
As this study continues, it will be interesting to observe how these new laws and changing regulations affect data breach costs. In the meantime, contact us with your questions as we continue to offer new and interesting insights into the issue of data privacy, information security, and responsible information management.
Posted by Mike Spinney at 12:13 pmAdd Comment (1 comments) Comments |
It is very smart to observe the data breach costs; maybe then it will get C-levels to take action—get the right hardcore IT monitoring and protection equipment, hire people who have the ability to do their jobs as well as be IT savvy enough to ensure the security of the network during and after their workday. C-levels need to always assume that their network infrastructure is not safe. They must keep in mind that 1.) any design has a weakness, whether that weakness is already in the software or in the managing of a network; and 2.) there is user naivete (not just end-users not being IT savvy but high-level IT personnel as well—how aware are they really of the hacker’s mentality?); and last, let’s definitely keep in mind of 3.) the hacker's curiosity—when a hacker knows 1.) and 2.) are not being looked after, it’s time to get down to real business; he/she will make proactive steps to do the research, mix that with advanced stealth social engineering skills, enter a few queries—you'll get your data breach.