Data breaches cost Australian firms $A2M: survey

A new report from the Ponemon Institute, together with PGP Corporation, claims the average cost of a data breach at Australian organisations is almost $A2M.

The most expensive data breach cost one organisation surveyed more than $A4 million to resolve, according to the 2009 Annual Study: "Australian Cost of a Data Breach" report −which aims to quantify the costs associated with both public and private sector data breaches in Australia.

The research analysed the actual data breach experiences of 16 Australian companies from nine different industry sectors taking into account a wide range of business costs including expensive outlays for detection, escalation, notification and after-the-fact responses. It also analysed the economic impact of lost or diminished customer trust and confidence as measured by customer turnover (churn) rates.

The two most significant components of the cost for Australian organisations are lost business, and detection and escalation of incidents. The least significant is notification, largely due to Australian organisations not required to notify victims when a data breach occurs – unlike their US and UK counterparts which have data breach notification laws.

"This first annual study shows that the financial impact of data breaches is significant for Australian organisations," said Dr.Larry Ponemon, chairman and founder of The Ponemon Institute.

"The research points to malicious attacks as the primary drivers of data breaches and customer turnover being the most costly component following a breach. The cost of notifying customers that their information has been compromised remains lower in Australia than we have seen in other countries where breach laws mandate notification."

Malicious attacks and botnets are the primary drivers of data breaches in Australia, and cost substantially more than those caused by human negligence or IT system glitches with 44% of all cases in this year's study involving a malicious or criminal attack that resulted in the loss or theft of personal information.

The cost per record compromised averaged $A156, while breaches from negligence and systems glitches had an average per record cost of $A94 and $A99 (40% and 37% less) respectively.

Data breaches involving outsourced data to third parties, especially when the third party is offshore, are common and costly. Thirty-one percent of all cases in this year's study involved third-party mistakes or flubs. The cost per compromised record for data breaches involving third parties was $A152 versus $A109 if the breach did not involve a third party, $A43 (39%) more. (This could be due to additional investigation and consulting fees, or additional forensics investigation and consulting fees.)

Industries with the highest customer turnover (churn rate) were financial, media and communications (7%), which also had the highest average costs per compromised record ($A177, $A182 and $A141 respectively). The industries with the lowest abnormal churn rates were retail and transportation (2%), followed the public sector (1%) which had the lowest average costs per compromised record (AUS$73, AUS$72 and AUS$107 respectively).

Other key findings of this year's report show that 31% of all cases involved a systems glitch or lost or stolen laptop computers or other mobile data-bearing devices, 25% of all data breach cases involved employee negligence, and 56% of organisations surveyed with a better security posture had lower data breach costs than their less-prepared peers.

"This study shows that organisations that proactively protect their data suffer less when hit by a data breach," said Phillip Dunkelberger, president and CEO of PGP Corporation.

"While Australia does not have data breach notification laws and only few data breaches are ever made public, it's clear that those organisations that employ a strategic approach that combines strong security leadership, well defined operational procedures and integrated technology solutions will reduce their exposure to costly loss incidents."

Copies of the full study are available at www.encryptionreports.com