Over a Third of All Data Breaches in Germany Are the Result of Errors by External Partners

OFFENBACH, Germany and TRAVERSE CITY, Mich., April 14 /PRNewswire/ -- In 2009 German companies had to invest more than they did only a year ago when they suffered a data breach with subsequent data abuse. More and more frequently the source of the error leading to violation of data protection is not in the company's own building but on the premises of external providers who are processing or using company data on the company's behalf. These are the results of the 'Jahresstudie 2009: Kosten von Datenpannen' ["2009 Annual Study: Cost of a Data Breach"], which examines the financial consequences of data loss and abuse in German companies with reference to real-life data.

The study, for the second time carried out by Ponemon Institute and supported by PGP Corporation, is based not on hypothetical assumptions but on the actual facts and figures resulting from data breaches and subsequent cases of data abuse in 22 German companies. The data breaches covered by this study range from cases of fewer than 3,300 data records affected to cases of around 63,000 data records. Data from a total of twelve different industries was covered, the emphasis being on quantifying the direct and indirect costs and the subsequent expenditure arising from loss or theft of personal data, using objective measurement criteria.

Overview of important results

• Data breaches becoming more expensive: Whilst the average cost of dataprotection violations examined in the previous year was about euro 2.41m per case, in 2009 companies had to dig nearly 7 percent deeper into their pockets and spend an average of euro 2.58m per case to rectify the damage resulting from actual cases of data abuse. The cost per compromised data record rose even more, namely by 18 percent from euro 112 to euro 132. In the most serious case examined, data abuse caused damage amounting to around euro 7m. The reason for the rising cost appears to be the 2009 amendment to the German Data Protection Act.
• External providers often cause data breaches: Violations of data protection with subsequent data theft are more and more frequently resulting from errors by external providers who receive data from a company. Whilst in last year's study 17 percent of cases examined were the result of errors by third parties, in 2009 this figure rose to 36 percent. Because of the additional expenditure on forensics and advisory services the resultant damage of euro 159 per compromised data record was far above the expenditure of euro 132 per data record as a result of an internal data breach.
• Clear allocation of expertise pays off: The 36 percent of companies in which responsibility for data security and handling of damage rectification in the event of data abuse were clearly delegated to a member of company management – e.g. the person responsible for informational security – spent around euro 87 per data record affected in the event of data abuse. In companies that had not made any clear allocation, however, the cost was euro 158 per compromised data record.
• Malice and negligence in nearly equal measure: In the examined cases from 2009, 54 percent of all cases of data abuse resulted from malicious or criminal attacks or the activities of botnets (2008: 50 percent). The average resultant cost of euro 120 per compromised data record was far below the euro 147 cost per data record when the fault lay in the IT systems or the cause was employee negligence. There are thus grounds to assume that whilst companies are investing more in defensive and forensic technologies they are in the process neglecting to check the reliability of production systems, or sensitisation and training of employees.
• Customers punish companies with data breaches: Seen against the total cost of euro 132 per compromised data record in the event of a data breach, the euro 46 cost component for lost profit in 2009 was far higher than in 2008 (euro 36). This shows that customers and consumers place far more value on protection of personal data than they did a year ago. The cost of exposure increased comparatively moderately, from euro 36 to euro 39, and for reactive measures the estimated average was euro 41, as against euro 36 in 2008. A clear percentage increase of 75 percent from euro 4 to euro 7 per endangered data record was established as the cost of notifying those concerned.
• For companies, data protection is above all a technological matter: The amended data-protection laws have led to many companies updating their technology. Thus the proportion of companies questioned who use encryption solutions rose by 26 percent to a total of 77 percent. There were also increases of 20 percent to 30 percent for other appropriate technological measures compared with the year before. Thus 73 percent of companies have optimised their checking of internal and external network transitions, 68 percent run a security event management system and 59 percent a DLP (Data Loss Prevention) solution. Involvement of companies in training and sensitisation measures, on the other hand, demonstrated low growth rates, with a mere 27 percent of companies investing in regular data-protection training for their employees.

"German customers and consumers are extremely sensitive to the protection of their personal data. Any company that has still not grasped this fact is putting their existence at risk," said Phillip Dunkelberger, President and CEO of PGP Corporation. "This year's report shows the loss of profit after a data breach and should convince companies that data protection is not a trend, but a crucial task that is critical to business."

Information for editorial boards

We will be happy to e-mail you a PDF file of the complete 'Jahresstudie 2009: Kosten von Datenpannen' [2009 Annual Study: Cost of a Data Breach]. The study will shortly also be available as a download from  www.encryptionreports.com.

About the Ponemon Institute

The Ponemon Institute is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organisations in a variety of industries.

About PGP Corporation

PGP Corporation is a global leader in email and data encryption software for enterprise protection. Based on a unified key management and policy infrastructure, the PGP® Encryption Platform offers the broadest set of integrated applications for enterprise data security. PGP® platform-enabled applications allow organisations to meet current needs and expand as security requirements evolve for email, laptops, desktops, instant messaging, smartphones, network storage, file transfers, automated processes and backups.

PGP® solutions are used by more than 110,000 enterprises, businesses, and governments worldwide, including 87 percent of the Fortune® 100, 73 percent of the Fortune® Global 100, 80 percent of the German DAX index, and 60 percent of the U.K. FTSE 100 Index. As a result, PGP Corporation has earned a global reputation for innovative, standards-based, and trusted solutions. PGP solutions help protect confidential information, secure customer data, achieve regulatory and audit compliance, and safeguard companies' brands and reputations. Contact PGP Corporation at www.pgp.com.

Legal Notice Regarding Forward-Looking Statements

Some of the statements in this press release are forward-looking, including statements regarding the availability, plans, delivery, goals, development, expected features, expected benefits and competitive position of PGP products implementing or leveraging the PGP technologies. All references made to product feature enhancements, improvements in Platform support or additional functionality are subject to change at PGP Corporation's sole discretion. All future descriptions of PGP technology and products are subject to availability only if PGP Corporation decides to build them and when PGP Corporation decides to make them commercially available. Actual results could differ materially from those expressed in any forward-looking statements. Risks and uncertainties that PGP Corporation faces that could cause results to differ materially include risks associated with any unforeseen technical difficulties or software errors related to the final development and launch of any of PGP Corporation's products; any technological, regulatory, or standards changes in the security, encryption and authentications market which could make PGP Corporation's products less competitive or require feature changes in these products; any slowdown in the adoption by businesses of encryption suites, secure email, Internet technologies or related standard. The forward-looking statements contained in this release are made as of the date hereof, and PGP Corporation does not assume any obligation to update such statements nor the reasons why actual results could differ materially from those projected in such statements.

PGP and the PGP logo are registered trademarks of PGP Corporation. Product and brand names used in the document may be trademarks or registered trademarks of their respective owners. Any such trademarks or registered trademarks are the sole property of their respective owners.

SOURCE PGP Corporation

WANT YOUR COMPANY'S NEWS FEATURED ON PRNEWSWIRE.COM?

440k+
Newsrooms &
Influencers

9k+
Digital Media
Outlets

270k+
Journalists
Opted In

GET STARTED