US Tops Charts For Most Costly Data Breaches: Study


Data security breaches are the most costly to businesses in Germany and the United States, according to a new report that analyzed the security incidents at 277 companies in nine countries.

The U.S. is the costliest country to have a data breach, according to "The 2013 Cost of Data Breach: Global Analysis," issued by the Ponemon Institute. The study found the total cost per data breach incident in the U.S. came in at $5.4 million. Total costs in Germany were estimated at $4.8 million.

"The most profitable investments companies can make seem to be an incident response plan, a strong security posture, the appointment of a CISO with enterprise-wide responsibility and the engagement of outside consultants," according to the Ponemon report.

[Related: Verizon Analysis: Top 10 Causes Behind Data Breaches]

The Ponemon Institute examined data breaches at organizations in the U.S., United Kingdom, France, Germany, Italy, India, Japan, Australia and Brazil. The study, which has been analyzing breach costs since 2005, included interviews with more than 1,400 individuals, who were surveyed about the extent of the security incidents at the organization and how incident response teams handled them.

Malicious attacks were behind the most costly data breaches in all nine countries, according to the report. More than 37 percent of incidents involved a malicious or criminal attack. Malicious attacks typically involved an external attacker gaining access to corporate systems, exposing sensitive data.

The study also found that a negligent employee or contractor was also a frequent factor in data breaches. At least 35 percent of data breaches involved negligence followed by system glitches at 29 percent.

The number of records breached was consistent with data breach expenses. The more records that were exposed during a breach resulted in higher costs, Ponemon said.

Organizations that had strong security leadership and consistent training on a data breach response plan were able to contain costs. Meanwhile, organizations that got outside help managing a significant security incident were able to limit costs from skyrocketing out of control, the study found.

"In the U.S., those organizations that hired consultants to help them contain and resolve the incident were able to reduce the cost an average of $13 per compromised or exposed record," according to the Ponemon report.

Companies in Germany and Brazil experienced the highest costs associated with determining the scope of a data breach. Engaging computer forensics teams and audit services was the most costly in those two countries. Meanwhile, U.S.-based companies experienced the highest costs during the data breach notification stage and post breach remediation activities.

Lost business costs have been trending downward, according to the report, indicating that the public may be getting used to receiving data breach notification email messages and letters. An organization may still suffer short-term reputation damage, but the costs associated with customer turnover are not as much as they used to be, Ponemon said. The study found that U.S. organizations exhibited the highest lost business cost of over $3 million.

Costs associated with post security incident activities, including remediation, legal expenses and offering identity protection services to affected customers was also down globally, but again, it was highest in the U.S. and Germany. U.S.-based companies also had the highest costs associated with breach notification. Moving too quickly to notify potential victims of a breach resulted in higher costs, according to the Ponemon report. Organizations that had a better grasp of the extent of the breach were able to control costs from escalating, the study found. In the U.S., quick notification added as much as $37 per record, Ponemon said.

PUBLISHED JUNE 5, 2013