A new study from the Ponemon Institute--sponsored by Symantec--reveals that the average cost of a data breach increased by seven percent to $7.2 million in 2010--with the most expensive data breach jumping 15 percent over the previous high to a whopping $35.3 million. One thing is very clear: losing sensitive data is an expensive proposition.
One of the driving forces raising the cost of exposing sensitive data is the growing patchwork of laws and regulations governing data protection and date breach disclosure. The Data Breach and Encryption Handbook--published by the American Bar Association--has over 300 pages dedicated to deciphering data breach laws around the globe. One appendix has 10 pages devoted to data breach laws and disclosure requirements just in the United States.
Don't fall into the trap, though, of blaming regulation and oversight. The regulation and oversight may contribute to the cost of data breach incidents, but the laws and requirements are a response to the rise in data breach incidents and the tendency for companies to be unwilling to invest in better data protection, and reluctant to reveal data breach incidents when they occur--even to the very customers and individuals affected by the data breach. As with other instances of government or industry intervention, the regulation and oversight are symptoms of the problem, not the cause.
According to the Ponemon study, the average data breach cost per individual compromised record is $214. With that figure in mind, consider data breach incidents from just this week--like the Alaska Department of Education losing 89,000 records on a stolen hard drive, or the University of South Carolina data breach incident exposing 31,000 records on the Internet. Quick math based on the Ponemon study suggests that the Alaska Department of Education may have just learned a $19 million lesson in data protection, and the University of South Carolina could be set back more than $6 million.
Another compelling finding of the Ponemon study is that negligence is the leading cause of data breaches--responsible for 41 percent of the data breach incidents in the study. Organizations need to have security policies in place that define how sensitive information should be handled. More importantly, though, organizations need to invest in tools that can help enforce those policies by automating the encryption of data, and detecting and blocking potential compromise of sensitive data.
Implementing data encryption and data loss prevention (DLP) tools costs money. No matter how expensive data protection might be, though, I can virtually guarantee that it costs less than not protecting the data. Does your IT department have a spare $7.2 million in the budget to take that gamble?