Data breaches cost average U.S. firm $5.4M per incident last year, says Ponemon

Annual report sees drop in costs due to better enterprise security measures

In 2012, a data breach cost a U.S. enterprise an average of $188 per record lost and $5.4 million per incident, according to the 2013 Cost of Data Breach Study compiled by the Ponemon Institute and security firm Symantec (Nasdaq: SYMC).

These numbers were down from the previous year's report, which found that a data breach cost a U.S. firm an average of $194 per record lost and $5.5 million per incident in 2011. This is the eighth year that Ponemon has conducted the data breach study.

The number of lost records per data breach in 2012 ranged from 2,300 to more than 99,000, with the average in the United States being 28,765 records lost. The 2013 report reviews breaches reported in 2012.

The report attributed the decline to the increasing number of chief information security officers being appointed with enterprise-wide responsibilities, as well as the implementation of data breach response plans and stronger enterprise security programs.

Human error and systemic problems accounted for two-thirds of data breaches last year. For example, prior Symantec research found that 62 percent of employees think it is acceptable to transfer corporate data outside the company and the majority never the delete the data, leaving the company vulnerable to data leaks.

"Data breaches are typically caused by people who are doing dumb things with data. It's not the hacker or the attacker. The problem is right under the security organization's nose," Robert Hamilton, senior product manager with Symantec's DLP group, told FierceEnterpriseCommunications.

The report is based on the data breach experiences of 277 companies in nine countries including the United States, United Kingdom, France, Germany, Italy, India, Japan, Australia and Brazil. To derive the cost estimates, Ponemon interviewed more than 1,400 individuals at these companies over a 10-month period.

Larry Ponemon, chairman of the Ponemon Institute, explained that the study excludes data breaches of fewer than 1,000 records lost and "mega" breaches of more than 100,000 records lost in order to prevent result skewing.

Ponemon told FierceEnterpriseCommunications that the calculation of enterprise costs includes the detection and response to the data breach, breach notification to victims and regulators, customer retention efforts and business loss, which is the largest component at more than $3 million per incident.

To curb data breaches, Symantec recommends that enterprises train employees on how to handle confidential information, use data loss prevention technology, deploy encryption and strong authentication products and prepare a data breach response plan.

For more:
- check out the 2013 Cost of Data Breach Study (reg. req.)

Related articles:
Cisco turns to Skyhigh Networks to shine light on shadow IT risks
Symantec: Majority of enterprises report at least one mobile security incident in the past year
Verizon offers discouraging cybersecurity news