The need for organizations to respond quickly to data breaches drove the costs higher, according to the report, which was conducted by Ponemon on behalf of Symantec and examined the data breach experiences of 51 US companies from 15 industry sectors.
In 2010, 43% of companies notified victims within one month of discovering a data breach, up from 36% in 2009. Those quick responders had a per-record cost of $268 in 2010, up 22% from 2009; companies that took longer paid $174 per record, down 11%.
"Our results suggest that moving too quickly through the data breach process may cause cost inefficiencies for the organization, especially during the detection, escalation and notification phases. The notable increase in companies responding quickly to breaches, despite the additional cost, may reflect pressure companies feel to comply with commercial regulations and state and federal data protection laws", the report said.
The most expensive data breach in 2010 cost the company $35.3 million to resolve, a 15% jump for the most expensive in 2009. The least expensive data breach was $780,000, up 4% from the least expensive in 2009.
In the 2010 study, 31% of all cases involved a malicious or criminal act, up seven percentage points from 2009. This marks the first time malicious attackers were not the least common cause of breaches. The cost for a malicious data breach was $318 per record in 2010, up 48% from 2009.
The number of breaches caused by negligence increased one percentage point to 41% of the total data breaches in 2010. This trend reflects the ongoing challenge of ensuring employee and partner compliance with security policies, the study warned.
Also, 63% of respondents use training and awareness programs after data breaches, down four percentage points from 2009. Encryption is the second most implemented preventive measure as a result of a data breach. Both encryption and data loss prevention (DLP) solutions have increased 17% since 2008.
According to the report, three data breach response characteristics of organizations increased in frequency: the number of organizations responding quickly (within 30 days), those putting chief information security officers in charge of data breach response, and those with an above-average IT security posture.
"Taken together, these figures may indicate more organizations are taking more active steps to thwart hostile attacks. Moreover, breaches due to systems failures, lost or stolen devices and third-party mistakes all fell. All these point to companies becoming more conscientious about preventing data breaches in the worsening threat environment", the report observed.
The cost of lost business from a data breach was stable at $4.5 million for the third straight year. In 2010, lost business accounted for 63% of the total cost of a data breach, down 3% from 2009 and down 6% from 2008. "The decrease in spending on lost business closely matches the amount spent on detection and escalation and ex-post response", the report noted.
The reported offered a number of solutions to reduce the likelihood of data breaches: encryption, including whole disk encryption and for mobile devices/smartphones; DLP solutions; identity and access management solutions; and endpoint security solutions and other anti-malware tools.