The Ponemon Institute released their 5th annual 2009 Annual Study: Cost of Data Breach last month. This year, the report explored several new areas and came up with some interesting and in some cases surprising conclusions. These include:
- A large proportion (82%) of organizations surveyed experienced at least one data breach of 1,000 or more records containing personal information over the last year. It is beginning to look like the myth of being able to totally eliminate the occurrence of data breaches is starting to disappear.
- Almost half (44%) of organizations outsourced the data breach response effort to an expert third party consultant. When outsourced in this way, the costs per victim declined a huge 26% vs. companies that “go it alone”. The ability to reduce costs by outsourcing the response process is counter-intuitive to some, but validates the value of an outside consultant that is knowledgeable and can execute using best practices
- “Companies that notify too quickly may incur higher costs”. This was surprising to me. The study found that these “quick responders”, organizations that notified within one month of detection of the breach, ended up paying 12% more than their peers. The assumption was that moving too quickly through the process causes inefficiencies that can be avoided.
As always, the study and report is full of valuable and interesting data and perspective for privacy, information security and legal officers. It is a “must read” for anyone in a relevant role at an organization that is entrusted with PII and PHI.