ANALYSIS: 2010 U.S. Cost of a Data Breach
By Ponemon Institute
Ponemon Institute’s 2010 report on the cost of a data breach for U.S. companies found that for the second year in a row, escalating data security threats and compliance pressures to combat them drove more organizations to respond so rapidly to data breaches that they paid significantly higher costs. In 2010, quick responders had a per-record cost of $268, up 22 percent from $219 the year before. Companies that took longer paid $174 per record, down 11 percent from 2009. Among other things, the report found for the first time that malicious or criminal attacks were the most expensive cause of data breaches and not the least common one.
The Ponemon Institute proudly presents the 2010 U.S. Cost of a Data Breach, the sixth annual study concerning the cost of data breach incidents for U.S.-based companies, sponsored by Symantec. Ponemon Institute research indicates that data breaches continue to have serious financial consequences on organizations. This year’s report found that for the second year in a row, escalating data security threats and compliance pressures to combat them are driving more organizations to respond so rapidly to data breaches that they pay significantly higher costs.
This benchmark study examines data breach costs resulting in the loss or theft of protected personal data. As a benchmark study, Cost of a Data Breach differs greatly from the standard survey study, which typically requires hundreds of respondents for the findings to be statistically valid. Benchmark studies are valid because the sample is designed to represent the population studied. They intentionally limit the number of organizations participating and involve an entirely different data-gathering process.
In a survey, the unit of analysis is an individual. In this benchmark study, the unit of analysis is an organization. Each company represents one case study. We conduct in-person and telephone interviews with many individuals in participating organizations. This process can take several months to complete. In sum, benchmark studies are far more difficult to execute and analyze than standard survey research.
The findings of this benchmark study pertain to the actual data breach experiences of 51 U.S. companies from 15 different industry sectors, all of which participated in the 2010 study. We believe the findings of this study are important because they can be generally applied to U.S. organizations that experience large data breaches (between 1,000 and 100,000 compromised records).