First Annual French Ponemon Study Shows the High Cost of Data Breaches for French Organizations
Each compromised record costs firms an average of euro 89; the most expensive data breach cost over euro 6.4 million to resolve
PARIS and TRAVERSE CITY, Mich., April 15 /PRNewswire/ -- Privacy and information management research firm Ponemon Institute, together with PGP Corporation, a global leader in enterprise data protection, today announced the results of the first annual study into the costs incurred by French organisations after experiencing a data breach. The "2009 Annual Study: French Cost of a Data Breach" report, compiled by the Ponemon Institute and sponsored by PGP Corporation, found that each lost customer record cost on average of euro 89 in 2009. The ex-post response is the main contributor to this expense (euro 31), followed jointly by lost business and detection and escalation of incidents (euro 27). With no data breach notification law currently applicable in France, it is unsurprising that data breach notification accounts for only euro 4 of the average cost.
The report focuses on the cost of activities resulting from real life data loss incidents occurring in the past year. A total of 17 French companies and public sector organisations from 11 different industry segments participated in the research, revealing breach events of between approximately 2,500 and 57,700 personally identifiable information records. These breaches cost between euro 400k and euro 6.4 million to manage, with an average cost of euro 1.9 million.
One of the most striking findings of the 2009 study is the significant difference in costs incurred in the various sectors, particularly in the public versus private sector. While the public sector faced average costs of euro 31 per lost record, the cost increased to as much as euro 147 per record in the pharmaceutical industry and euro 140 in the financial industry. These were also the industries that experienced the highest level of customer turnover due to diminished customer confidence and trust, a factor which had no impact on the public sector.
"This first annual study shows that French commercial organisations in particular are being hit hard by the financial impact of data breaches," said Dr. Larry Ponemon, chairman and founder of The Ponemon Institute. "Should the new data breach notification bill that has just been passed by the French Senate be adopted by the National Assembly, the costs associated with handling incidents will surely increase. As this is the first year we have completed the study in France and indeed the first time most of the organisations interviewed have actually calculated the financial ramifications of losing data, it will be interesting to revisit the question in a year's time and see where and how improvements have been made."
Factors impacting data breach costs
The 2009 study shows that malicious attacks and botnets are one of the primary drivers of data breaches and cost substantially more than those caused by human negligence or IT system vulnerabilities. The cost per record compromised in a data breach involving a malicious or criminal act averaged euro 138, while breaches from negligence and systems failures had an average per-record cost of euro 85 and euro 77 respectively. These findings suggest that organisations must start protecting themselves more proactively from increasingly aggressive malicious outsiders as a reactive remediation strategy is much more expensive.
Fifty-nine percent of all cases in this year's study involved organisations that had their first breach. The cost of a data breach for organisations that had their first breach was euro 99 versus euro 75 for organisations that had previous incidents. This may be attributed to the fact that an organization dealing with a breach for the first time does not have the experience necessary to deal with the incident in a knowledgeable and efficient manner.
Third-party errors also cost organisations greatly. Forty-one percent of all cases in this year's study involved third-party mistakes. Data breaches involving outsourced data to third parties, especially when the third party is offshore, are particularly expensive. The cost per compromised record for data breaches involving third parties was euro 130 versus euro 60 if the breach did not involve a third-party. This is primarily due to additional investigation, forensics and consulting fees.
Finally, 35 percent of all cases in this year's study involved lost or stolen laptop computers or other mobile data-bearing devices. Data breaches involving these devices cost organisations euro 122 per compromised record, euro 51 (72 percent) more compared to euro 71 if the reach did not involve such items.
Post data breach responses
The organisations participating in the research identified encryption and strengthened perimeter controls as the top two technology responses following a data breach with 25 percent and 21 percent respectively. However, the most popular preventative measures taken were additional manual procedures and controls (53 percent) and training and awareness programs (46 percent). The least popular solutions were endpoint security solutions (8 percent) and security event management systems (5 percent). This suggests reluctance on the part of French organisations to invest in technology solutions and adopt a holistic approach to protecting their data.
"With the growing popularity of IT models such as cloud computing and remote working, data has never been more vulnerable if it is not protected properly," said Phillip Dunkelberger, president and CEO of PGP Corporation. "By ensuring that the correct technology, policies and procedures have been implemented from the outset, companies can avoid the financially disastrous impact of a data breach and invest instead in projects that will help grow their business and profits."
A copy of the study, including a full breakdown of the various direct and indirect costs impacting organisations, is available from PGP Corporation at: www.encryptionreports.com.
About the Ponemon Institute
The Ponemon Institute is dedicated to advancing responsible information and privacy management practices in businesses and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organisations in a variety of industries.
About PGP Corporation
PGP Corporation is a global leader in email and data encryption software for enterprise protection. Based on a unified key management and policy infrastructure, the PGP® Encryption Platform offers the broadest set of integrated applications for enterprise data security. PGP® platform-enabled applications allow organisations to meet current needs and expand as security requirements evolve for email, laptops, desktops, instant messaging, smartphones, network storage, file transfers, automated processes and backups.
PGP® solutions are used by more than 110,000 enterprises, businesses, and governments worldwide, including 87 percent of the Fortune® 100, 73 percent of the Fortune® Global 100, 80 percent of the German DAX index, and 60 percent of the U.K. FTSE 100 Index. As a result, PGP Corporation has earned a global reputation for innovative, standards-based, and trusted solutions. PGP solutions help protect confidential information, secure customer data, achieve regulatory and audit compliance, and safeguard companies' brands and reputations. Contact PGP Corporation at www.pgp.com.
Media Contacts Ponemon Institute: |
|
Mike Spinney |
|
978-597-0342 |
|
Media & Analyst Contacts for PGP Corporation: |
|
Carol Pender/Alexandra Radius |
|
Johnson King |
|
+33 (0)1 53 16 11 11 |
|
North America |
|
Tom Rice |
|
Merritt Group |
|
+1 703 856 2218 |
|
United Kingdom |
|
Jacqui Depares / Ben Roberts |
|
Johnson King |
|
+44 (0) 20 7401 7968 |
|
Germany |
|
Ingrid Daschner / Oliver Fischer |
|
Johnson King |
|
+49 (0) 89 8940 85-11/-12 |
|
Legal Notice Regarding Forward-Looking Statements
Some of the statements in this press release are forward-looking, including statements regarding the availability, plans, delivery, goals, development, expected features, expected benefits and competitive position of PGP products implementing or leveraging the PGP technologies. All references made to product feature enhancements, improvements in Platform support or additional functionality are subject to change at PGP Corporation's sole discretion. All future descriptions of PGP technology and products are subject to availability only if PGP Corporation decides to build them and when PGP Corporation decides to make them commercially available. Actual results could differ materially from those expressed in any forward-looking statements. Risks and uncertainties that PGP Corporation faces that could cause results to differ materially include risks associated with any unforeseen technical difficulties or software errors related to the final development and launch of any of PGP Corporation's products; any technological, regulatory, or standards changes in the security, encryption and authentications market which could make PGP Corporation's products less competitive or require feature changes in these products; any slowdown in the adoption by businesses of encryption suites, secure email, Internet technologies or related standard. The forward-looking statements contained in this release are made as of the date hereof, and PGP Corporation does not assume any obligation to update such statements nor the reasons why actual results could differ materially from those projected in such statements.
PGP and the PGP logo are registered trademarks of PGP Corporation. Product and brand names used in the document may be trademarks or registered trademarks of their respective owners. Any such trademarks or registered trademarks are the sole property of their respective owners.
SOURCE PGP Corporation
WANT YOUR COMPANY'S NEWS FEATURED ON PRNEWSWIRE.COM?
Newsrooms &
Influencers
Digital Media
Outlets
Journalists
Opted In
Share this article