The Ponemon Institute in conjunction with PGP Corporation has announced the results of the first ever global study into the costs that are incurred by business following a data breach. It makes for good, or should that be bad, reading as far as Australia is concerned.
While globally the average cost of a data breach came to a bloody huge US $3.43 million for 2009, or US $142 per individual compromised customer record, the really interesting stuff starts happening when you look at the figures on a per country basis.
Those doing business in the USA were faced with by far and away the highest costs amongst the world powers analysed, with the average breach costing US $6.75 million courtesy of strict breach notification laws.
Indeed, the report tends to suggest that in those countries with no data breach disclosure laws, business will face much lower costs as a result of poor security practise. Australia, for example, was the cheapest place to do business if your security is poor with an average of US $1.83 million per breach.
The results change a little if you look at the costs in terms of an average cost per compromised record, with the USA still being most expensive on US $204 per record but Australia slipping off the top of the cheap list on US $114 just losing out to the UK with a measly US $98 per record.
Please see next page for a full breakdown of the report results by country and our conclusion as to why being cheap is actually pretty nasty for Australian business.
There can be no doubt, following the publication of this report, that data breach disclosure regulation has a staggering and direct impact upon the costs incurred to business. In the USA, which now has no less than 46 states imposing breach disclosure legislation, the cost per lost record was 43 percent higher than the global average.
In the UK, where only public sector and financial organisations currently face regulatory pressure to disclose breaches, costs per record were lowest at 45 percent below the global average.
Jonathan Armstrong, a technology lawyer at Duane Morris, warns that with the UK Information Commissioner's Office "toughening its stance on data protection, imposing hefty fines and scrutinising more and more organisations, it will be interesting to see how steeply UK costs rise in the future".
That is, in my opinion, a good thing for the UK and it's a bad thing for Australian business while it remains a cheap country to do insecure business in. Higher costs incurred when data is breached acts as a catalyst for improved security, and surely that has to be a good thing?
Those country results in full:
- USA $6.75 million per breach, $204 per record
- Germany $3.44 million per breach, $177 per record
- UK $2.57 million per breach, $98 per record
- France $2.53 per breach, $119 per record
- Australia $1.83 million per breach, $114 per record