The Ponemon Institute released their 5th annual 2009 Annual Study: Cost of Data Breach last month.  This year, the report explored several new areas and came up with some interesting and in some cases surprising conclusions.

These include:

- Customer/patient/client churn rate, the tendency for a data breach event to cause them to “vote with their feet” and choose another provider, remains the key cost driver for data breach incidents. Such lost customer costs are typically 2/3rds the cost of a data breach. Industries that exhibit the highest churn rates are healthcare, pharmaceuticals and communications (all 6%).

- Almost half (44%) of organizations outsourced the data breach response effort to an expert third party consultant. When outsourced in this way, the costs per victim declined a huge 26% vs. companies that “go it alone”. The ability to reduce costs by outsourcing the response process is counterintuitive to some, but validates the value of an outside consultant that is knowledgeable and can execute using best practices

-  “Companies that notify too quickly may incur higher costs”. This was surprising to me. The study found that these “quick responders”, organizations that notified within one month of detection of the breach, ended up paying 12% more than their peers. The assumption was that moving too quickly through the process causes inefficiencies that can be avoided.

As always, the study and report is full of valuable and interesting data and perspective for privacy, information security,  legal and financial officers. It is a “must read” for anyone in a relevant role at an organization that is entrusted with PII and PHI, especially the CISOs who are most frequently the organizational members responsible for the handling of data breach incidents.

by Doug Pollack

The Ponemon Institute today released a new study, sponsored by ID Experts, titled “Consumers Report Card on Data Breach Notification“. They describe the rationale and importance of this study as follows:

“It is well established that identity theft has become a very serious issue for Americans. But how well are organizations responding to consumers’ worries when their personal information is lost as the result of a data breach? We decided to conduct this study to find out if consumers who received notification about a data breach involving their personal information were satisfied with the organizations’ response and transparency. In other words, if the consumers had the ability to issue a report card on the current status of data breach notification would it be A for excellent or F for failing?”

The report provides a wealth of useful information to companies in order to effectively plan for a data breach response effort. Given an earlier Ponemon study estimate that around two-thirds of the $197 per person average cost of a data breach is in lost business and reputation, this report can assist companies in evaluating how elements of their data breach response effort can influence their customer retention rates and thereby attempt to reduce this very critical component of the cost equation.

Dr. Larry Ponemon states that:

“Data breach notifications are a failure if individuals do not have a clear understanding of their level of risk, available support, and the steps they need to take to respond to the loss of theft of their personal information. Our research strongly suggests that legal compliance is the primary goal of many companies’ notification efforts. This approach does not serve the best interests of consumers and contributes to a breakdown of trust that can impact a company monetarily as a result of increase in customer defection.”

To download a copy of this study, visit the ID Experts website and click on the New Ponemon Study link.