Firms are paying a hefty price for data breaches, according to a new study with each customer record lost in the UK being worth an average of £60, according to company privacy research firm Ponemon Institute.

Ponemon’s report, The 2008 Annual Study: UK Cost of a Data Breach, found that the average cost of an incident is now £1.7m, compared to £1.4m in 2007, when factors such as lost business, PR damage, customer notification and other remedial work is factored in. The £60 simulated cost is up from £47 in 2007.
The poll covered a wide span of incidents from breaches of 4,100 to over 92,000 records and from an estimated cost of £160,000 to £4.8m.

Jamie Cowper, European marketing director at encryption software specialist PGP, which sponsored the report said more than half the cost came from “abnormal customer churn” – in other words, customers changing supplier as a result of data breaches.

Other notable trends include the finding that 70 per cent of cases involved negligent behavior on the part of company insiders while just 30 per cent were the result of malicious behavior. A third of cases were caused by errors from third parties such as outsourcers. Remedial activity was led by use of encryption, identity and access management software, as well as training and awareness programmes.

In the US, laws have long called for firms to publicly report breaches, awareness is higher, and there are greater numbers of people who stand to be affected.

According to Ponemon, US breaches cost companies an average of $202 (£142) for every data record lost in 2008. As with the UK, the most costly factor was loss of business.

"The growth in lost business costs demonstrates consumers do not take a breach of their trust and privacy lightly and have not become desensitised to the issue," the study said.

Two industries suffered the worst backlash from consumers. The churn rate – that is, the rate at which people changed their provider -- was 6.5 per cent for health care and 5.5 per cent for financial services, the study found.

So far, about 44 US states have data-loss notification laws, but the laws can vary widely. For example, some companies do not have to tell customers if data is scrambled with 128-bit encryption or if the breach was stopped before information was wrongly acquired.

Last month, the Identity Theft Resource Center (ITRC) found that more than 35 million data records were breached in 2008 in the US, a record number. The majority of the lost data was neither encrypted nor protected by a password, it found. The ITRC counted 656 breaches in 2008 from a range of well-known US companies and government entities. That was 47 per cent more incidents than the 446 breaches in 2007.

Information about the breaches was collected by tracking media reports and the disclosures companies are required to make by law. But the ITRC said it is likely many more than 35 million records were lost since some companies do not reveal how many records were compromised.

Related articles:

Information Commissioner charges three NHS Trust for data breaches

Most data breaches avoidable - report