2010 Annual Study: U.S. Cost of a Data Breach

March 8, 2011

• Examines the following topics:

• What are industry-average costs resulting from a breach, including the detection, investigation, notification, and possible services offered to affected individuals?

• What are the potential legal costs?

• What are the costs of lost customers and brand damage?

• What are the key trends?

• What measures are taken following a breach that could have been implemented to avert it?

• Sixth year Ponemon has conducted this survey

• Actual data breach experiences of 51 U.S.-based organizations

• 15 industries

Ponemon and Symantec Research

2010 Annual Study: U.S. Cost of a Data Breach 2

Data breach costs continue to rise

• Average organizational cost increased to $7.2 million– Up 7 percent from $6.8 million in 2009

– Total data breach costs have grown every year since 2006

• Per compromised record cost increased to $214 in 2010– Up $10 (5 percent) from 2009

• Data breaches costing more at both ends of scale– Most expensive breach was $35.3 million (up 15 percent)

– Least expensive breach was $780,000 (up 4 percent)

• Data breach cost directly proportional to the number of records compromised

2010 Annual Study: U.S. Cost of a Data Breach 3

Rapid response costs significantly more

• 43 percent notified victims within one month of discovering the data breach

– Up 7 points from 36 percent in 2009

– Largest percent increase among data breach response attributes

• Quick-responders paid more per record

– Quick responders paid $268 per record, up $49 (22 percent) from 2009

– Companies that took longer paid $174 per record, down $22 (11 percent) from 2009

2010 Annual Study: U.S. Cost of a Data Breach 4

May reflect pressure companies feel to comply with commercial regulations and state and federal data protection laws.

Malicious or criminal attacks more frequent

• For the first time, malicious or criminal attacks are not the least common cause of breaches

– 31 percent of cases involved malicious or criminal attack

– Up 7 points from 2009

• Breach costs for malicious attacks skyrocketed

– 2010 cost per compromised record averaged $318, up $103 (48 percent) from 2009

– Highest of any data breach cause this year

• Cost gap between malicious and non-malicious breaches grew by more than 10 times, from $14 to $151

– Reinforces extreme danger hostile breaches pose

2010 Annual Study: U.S. Cost of a Data Breach 5

Major causes of data breaches

• Negligence remains the most common threat

– Edged up one percent to 41 percent and averaged $196 per record, up 27 percent from 2009

• Companies are more vigilant about preventing system failures

– Breaches involving system failure dropped nine percent to 27 percent

• Lost or stolen laptop computers or other mobile data-bearing devices remain a consistent and expensive threat

– Stayed roughly the same at 35 percent this year, down one point

– Per-record costs rose $33 (15 percent) to $258 per record for such breaches but stayed virtually flat at $191 for those that did not

Presentation Identifier Goes Here 6

Organizations more proactive to thwart hostile attacks

• Malicious or criminal attacks increased the most in 2010 (up 7 points), no longer least common cause

• Companies with an above average IT security posture increased

• Organizations responding quickly rose the most (up 7 points)

• More companies put CISO in charge of response (up 5 points)

• Breaches due to system failure dropped (down 9 points)

• Breaches due to lost or stolen devices dropped (down 1 point)

• Breaches due to third-party mistakes dropped (down 3 points)

2010 Annual Study: U.S. Cost of a Data Breach 7

All these point to companies becoming more conscientious about preventing data breaches in the worsening threat environment.

Finding and remediating data breaches paying off

• Organizations more proactive in finding and starting response to data breaches

– On average detection and escalation cost $455,000, up 72 percent from $264,000 in 2009

• More resources devoted to contacting and helping data breach victims

– Ex-post response saw strong gains, up 15 percent from $1.5 million last year to $1.7 million in 2010

• The cost of lost business stayed relatively stable

– $4.5 million for the third straight year

– Lost business has decreased proportionally to overall data breach costs

– Decrease in spending on lost business closely matches the amount spent on detection and escalation and ex-post response

2010 Annual Study: U.S. Cost of a Data Breach 8

• Training and awareness programs remained #1 remedy with 63 percent (down 4 points) using them

• Encryption stayed most popular technology solution with 61 percent (up 3 points)

• Other notable remediation procedures following breaches:

– Additional manual procedures and controls, 54 percent (down 4 points)

– Identity and access management solutions, 52 percent (up 3 points)

– Data Loss Prevention (DLP) solutions, 43 percent (up 1 point)

Encryption gaining fast as post-breach remedy

2010 Annual Study: U.S. Cost of a Data Breach 9

Technological solutions seeing the strongest growth, while personnel and policy solutions have grown more slowly.

Best Practices to Avoid Major Causes of Data Breach

• Assess risks by identifying and classifying confidential information

• Educate employees on information protection policies and procedures, then hold them accountable

• Deploy data loss prevention technologies which enable policy compliance and enforcement

• Proactively encrypt laptops to minimize consequences of a lost device

• Integrate information protection practices into businesses processes

2010 Annual Study: U.S. Cost of a Data Breach 10

Data Breach Risk Calculator

• Enables organizations to estimate how a data breach could impact their company

• Uses six years of trend data from this study

• It can calculate:

– The likelihood that the company will experience a data breach in the next 12 months

– The cost per record in the event of a data breach at the company

– The cost of a data breach at the company

• www.databreachcalculator.com

2010 Annual Study: U.S. Cost of a Data Breach 11

In Summary

• Key Findings:

– For the fifth year in a row, data breach costs have continued to rise, particularly at the top

– Escalating data security threats and compliance pressures to combat them are driving more organizations to respond so rapidly to data breaches that they pay significantly higher costs

– For the first time, malicious or criminal attacks are the most expensive cause of data breaches but not the least frequent

– Organizations are more proactively protecting themselves from malicious attacks

– Companies’ investments in finding and remediating data breaches may be paying off

2010 Annual Study: U.S. Cost of a Data Breach 12

Thank you!

Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

Thank you!

2010 Annual Study: U.S. Cost of a Data Breach 13