For businesses, the cost of coping with data breaches has declined as they get better at preparing for such events, according to a study by Symantec Corp. and the Ponemon Institute. In addition, customers seem more accustomed to these events and are less likely to get huffy and walk out the door when breaches occur, the study found.
Researchers reported a 13 percent decline in the number of customers who abandon companies after being notified that their personal data was lost or stolen, although health care and financial services industries “are still more susceptible to high customer churn.”
The report said the average cost to a company was $188 per victim, compared with last year’s finding of $194 per victim. The average total cost to a business slipped to $5.4 million from $5.5 million.
Ken Goldstein, vice president and worldwide cyber security manager for the Warren, N.J.-based Chubb Group of Insurance Cos., said that doesn’t mean businesses have any less need for cybersecurity insurance. “Those are negligible changes,” he said. “That $188 is still a significant impact.”
Legal and regulatory pressures continue to steer businesses toward acquiring more coverage, and many midsize companies have not yet bought the extra coverage that could benefit them, Goldstein said.
In the U.S., all but a few states now have regulations requiring companies to notify their customers if protected personal data, such as Social Security numbers and financial account numbers, are lost or stolen.
Companies, including Chubb, AIG and Hartford Financial, that offer cybersecurity insurance expect that industry to continue to grow.
When it comes to regulatory controls on data breaches, Europe, Australia and Asia have not yet caught up with the United States, but they are moving in that direction, which means an expanding overseas market, Goldstein said.
The Symantec-Ponemon study examined costs incurred by 54 U.S. companies in 14 industry sectors after they experienced a loss or theft of personal data and then had to notify victims.
The study showed malicious or criminal attacks were the most frequent cause of breaches, accounting for more than 40 percent. A third of the incidents were blamed on employee negligence, and about one-quarter were attributed to system glitches. The ill-intentioned attacks tended to cost companies the most: about $277 per compromised report, versus $177 for an event caused by a careless worker.
The total number of data breaches and number of exposed records fluctuate from year to year, according to the nonprofit Identity Theft Resource Center. About 450 organizations, across business, financial, educational, government and health care sectors, disclosed data breaches in 2012, compared with 419 in 2011 and 662 in 2010.
In the first quarter of this year, 142 breaches were publicly disclosed, accounting for the exposure of nearly 1 million records.
The largest alleged data breach scheme ever prosecuted in this country was announced in July by New Jersey’s U.S. attorney. Russian nationals and a Ukrainian were charged with hacking more than a dozen U.S. and international corporations over seven years and stealing at least 160 million credit and debit-card numbers, resulting in hundreds of millions of dollars in losses.
The biggest loss, about $200 million, reportedly was sustained by Princeton, N.J.-based Heartland Payment Systems Inc., which processes credit and debit-card payments for small businesses.
Cybersecurity insurance can defray the cost when a breach occurs, and Chubb says it gives its customers breach-preparation templates to help organize a response plan if an event occurs. Having a formal response plan reduced the costs of breaches by $42 per compromised record, according to the Symantec-Ponemon study.