2. Ponemon and Symantec Research
• Examines the following topics:
• What are industry-average costs resulting from a breach, including the
detection, investigation, notification, and possible services offered to
affected individuals?
• What are the potential legal costs?
• What are the costs of lost customers and brand damage?
• What are the key trends?
• What measures are taken following a breach that could have been
implemented to avert it?
• Sixth year Ponemon has conducted this survey
• Actual data breach experiences of 51 U.S.-based organizations
• 15 industries
2010 Annual Study: U.S. Cost of a Data Breach 2
3. Data breach costs continue to rise
• Average organizational cost increased to $7.2 million
– Up 7 percent from $6.8 million in 2009
– Total data breach costs have grown every year since 2006
• Per compromised record cost increased to $214 in 2010
– Up $10 (5 percent) from 2009
• Data breaches costing more at both ends of scale
– Most expensive breach was $35.3 million (up 15 percent)
– Least expensive breach was $780,000 (up 4 percent)
• Data breach cost directly proportional to the number of records
compromised
2010 Annual Study: U.S. Cost of a Data Breach 3
4. Rapid response costs significantly more
• 43 percent notified victims within one month of discovering the
data breach
– Up 7 points from 36 percent in 2009
– Largest percent increase among data breach response attributes
• Quick-responders paid more per record
– Quick responders paid $268 per record, up $49 (22 percent) from 2009
– Companies that took longer paid $174 per record, down $22 (11 percent)
from 2009
May reflect pressure companies feel to comply with commercial regulations
and state and federal data protection laws.
2010 Annual Study: U.S. Cost of a Data Breach 4
5. Malicious or criminal attacks more frequent
• For the first time, malicious or criminal attacks are not the least
common cause of breaches
– 31 percent of cases involved malicious or criminal attack
– Up 7 points from 2009
• Breach costs for malicious attacks skyrocketed
– 2010 cost per compromised record averaged $318, up $103 (48 percent)
from 2009
– Highest of any data breach cause this year
• Cost gap between malicious and non-malicious breaches grew
by more than 10 times, from $14 to $151
– Reinforces extreme danger hostile breaches pose
2010 Annual Study: U.S. Cost of a Data Breach 5
6. Major causes of data breaches
• Negligence remains the most common threat
– Edged up one percent to 41 percent and averaged $196 per record, up 27
percent from 2009
• Companies are more vigilant about preventing system failures
– Breaches involving system failure dropped nine percent to 27 percent
• Lost or stolen laptop computers or other mobile data-bearing
devices remain a consistent and expensive threat
– Stayed roughly the same at 35 percent this year, down one point
– Per-record costs rose $33 (15 percent) to $258 per record for such
breaches but stayed virtually flat at $191 for those that did not
Presentation Identifier Goes Here 6
7. Organizations more proactive to thwart hostile attacks
• Malicious or criminal attacks increased the most in 2010 (up 7
points), no longer least common cause
• Companies with an above average IT security posture increased
• Organizations responding quickly rose the most (up 7 points)
• More companies put CISO in charge of response (up 5 points)
• Breaches due to system failure dropped (down 9 points)
• Breaches due to lost or stolen devices dropped (down 1 point)
• Breaches due to third-party mistakes dropped (down 3 points)
All these point to companies becoming more conscientious about preventing
data breaches in the worsening threat environment.
2010 Annual Study: U.S. Cost of a Data Breach 7
8. Finding and remediating data breaches paying off
• Organizations more proactive in finding and starting response
to data breaches
– On average detection and escalation cost $455,000, up 72 percent from
$264,000 in 2009
• More resources devoted to contacting and helping data breach
victims
– Ex-post response saw strong gains, up 15 percent from $1.5 million last
year to $1.7 million in 2010
• The cost of lost business stayed relatively stable
– $4.5 million for the third straight year
– Lost business has decreased proportionally to overall data breach costs
– Decrease in spending on lost business closely matches the amount spent
on detection and escalation and ex-post response
2010 Annual Study: U.S. Cost of a Data Breach 8
9. Encryption gaining fast as post-breach remedy
• Training and awareness programs remained #1 remedy with 63
percent (down 4 points) using them
• Encryption stayed most popular technology solution with 61
percent (up 3 points)
• Other notable remediation procedures following breaches:
– Additional manual procedures and controls, 54 percent (down 4 points)
– Identity and access management solutions, 52 percent (up 3 points)
– Data Loss Prevention (DLP) solutions, 43 percent (up 1 point)
Technological solutions seeing the strongest
growth, while personnel and policy solutions
have grown more slowly.
2010 Annual Study: U.S. Cost of a Data Breach 9
10. Best Practices to Avoid Major Causes of Data Breach
• Assess risks by identifying and classifying confidential
information
• Educate employees on information protection policies and
procedures, then hold them accountable
• Deploy data loss prevention technologies which enable policy
compliance and enforcement
• Proactively encrypt laptops to minimize consequences of a lost
device
• Integrate information protection practices into businesses
processes
2010 Annual Study: U.S. Cost of a Data Breach 10
11. Data Breach Risk Calculator
• Enables organizations to
estimate how a data breach
could impact their company
• Uses six years of trend data
from this study
• It can calculate:
– The likelihood that the
company will experience a
data breach in the next 12
months
– The cost per record in the
event of a data breach at the
company
– The cost of a data breach at
the company
• www.databreachcalculator.com
2010 Annual Study: U.S. Cost of a Data Breach 11
12. In Summary
• Key Findings:
– For the fifth year in a row, data breach costs have continued
to rise, particularly at the top
– Escalating data security threats and compliance pressures to
combat them are driving more organizations to respond so
rapidly to data breaches that they pay significantly higher
costs
– For the first time, malicious or criminal attacks are the most
expensive cause of data breaches but not the least frequent
– Organizations are more proactively protecting themselves
from malicious attacks
– Companies’ investments in finding and remediating data
breaches may be paying off
2010 Annual Study: U.S. Cost of a Data Breach 12