Ponemon study shows costly French data breaches

According to the study –- which appears to be the first of its type for France –  which was sponsored by PGP Corporation, the most expensive data breach in the country cost a hefty 6.4 million euro to resolve.

The report, 2009 Annual Study: French Cost of a Data Breach, revealed that 31 of the 89 euro per record average was spent on direct responses to the breach itself, with a further 27 euro per record spent respectively on the cost of lost business and the detection and escalation of incidents.

For its study, the Ponemon Institute polled a total of 17 French companies and public sector organisations from 11 different industry segments, revealing breach events of between approximately 2500 and 57 700 personally identifiable information records.

The cost of breach

These breaches, said the respondent firms, cost between EUR 400,000 and 6.4 million to manage, with an average cost of 1.9 million euro.

The Ponemon Institute says that one of the most striking findings of the 2009 study is the significant difference in costs incurred in the various sectors, particularly in the public versus private sector.

Whilst the public sector faced average costs of 31 euro per lost record, the cost increased to as much as 147 euro per record in the pharmaceutical industry and 140 euro in the financial industry.

The report also says that these were also the industries that experienced the highest level of customer turnover due to diminished customer confidence and trust, a factor which had no impact on the public sector.

"This first annual study shows that French commercial organisations in particular are being hit hard by the financial impact of data breaches", said Dr. Larry Ponemon, chairman and founder of The Ponemon Institute.

"Should the new data breach notification bill that has just been passed by the French Senate be adopted by the National Assembly, the costs associated with handling incidents will surely increase", he added.

According to Dr. Ponemon, as this is the first year the Institute has completed the study in France and indeed the first time most of the organisations interviewed have actually calculated the financial ramifications of losing data, it will be interesting to revisit the question in a year's time and see where and how improvements have been made.

Dissecting the report's data reveals that malicious attacks and botnets are one of the primary drivers of data breaches and cost substantially more than those caused by human negligence or IT system vulnerabilities.

The cost per record compromised in a data breach involving a malicious or criminal act averaged out at 138 euro, whilst breaches from negligence and systems failures had an average per-record cost of 85 and 77 euro respectively.

What has been learnt

PGP says that these findings suggest that organisations must start protecting themselves more proactively from increasingly aggressive malicious outsiders as a reactive remediation strategy is much more expensive.

Fifty-nine percent of all cases in this year's study involved organisations that had their first breach. The cost of a data breach for organisations that had their first breach was 99 euro versus 75 euro for organisations that had previous incidents.

This, says PGP, may be attributed to the fact that an organisation dealing with a breach for the first time does not have the experience necessary to deal with the incident in a knowledgeable and efficient manner.

Interestingly, third-party errors also cost organisations greatly. Fourty-one percent of all cases in this year's study involved third-party mistakes. Data breaches involving outsourced data to third parties, especially when the third party is offshore, are particularly expensive.

The cost per compromised record for data breaches involving third parties was 130 euro versus 60 euro if the breach did not involve a third-party. This is primarily due to additional investigation, forensics and consulting fees.

Lastly, 35% of all cases in this year's study involved lost or stolen laptop computers or other mobile data-bearing devices. Data breaches involving these devices cost organisations 122 euro per compromised record, 51 euro (72%) more compared to 71 euro if the breach did not involve such items.

Phil Dunkelberger, PGP Corp's president, said that, with the growing popularity of IT models such as cloud computing and remote working, data has never been more vulnerable if it is not protected properly.

"By ensuring that the correct technology, policies and procedures have been implemented from the outset, companies can avoid the financially disastrous impact of a data breach and invest instead in projects that will help grow their business and profits", he said.


What’s Hot on Infosecurity Magazine?