Consumers are actively punishing companies that lose their confidential and private information through database breaches, according to a survey from the Ponemon Institute and PGP Corporation, which found that nearly 20% immediately cancelled accounts with vendors that 'lost' information - and another 40% seriously considered cancellations.
Furthermore, companies participating in a parallel study estimated incurring an average cost of US$14 million per breach incident, with costs ranging as high as US$50 million.
The survey report, entitled 'Lost Customer Information: What Does a Data Breach Cost Companies?', presents live data from actual cases of lost customer data and the associated costs incurred in the recovery process. Covering 14 separate incidents, it represents 1.4 million compromised data records and almost US$200 million in total costs. Total cost estimates include the actual cost of internal investigations, outside legal defence fees, notification and call centre costs, PR and investor relations efforts, discounted services offered, lost employee productivity, and the effect of lost customers.
The related survey, entitled 'National Survey on Data Security Breach Notification', reports results from 9,000 consumers, 12% of whom had received notifications of information mishandling. When statistically extrapolated to the entire US population, an estimated 23 million consumers are thought to have received such notices to-date. Results showed that 60% had terminated or were considering terminating their accounts.
"The increasing incidence of reporting of lost private personal records poses a serious threat to consumer confidence - and to vendor profits," said Esther Dyson, editor of CNET Networks' Release 1.0, and a member of the PGP Business Advisory Board. "Yet it is the right thing to do because it is forcing companies to clean up their acts. Companies are beginning to understand the effect carelessness with data can have on their reputations and their bottom line."
Among the report's other findings:
- Average additional spending resulting from a single data breach was US$5 million;
- Reported costs were as high as US$50 million for an insurance company;
- Average total recovery costs were US$140 per lost customer record;
- Average loss was 2.5% of all customers, but reaching as much as 11% in some cases.
Andrew Krcik, vice president of marketing for PGP Corporation, said: "Many companies know that customer acquisition and retention are the life-blood of long-term corporate success. A brand reputation built with hundreds of millions of dollars over decades can be destroyed by the careless handling of private customer data."
Indeed, when the lifetime value of customers is so high and new customer acquisition is so difficult, safeguards for their sensitive data are essential if companies are to avoid destroying customer confidence through an unforeseen slip.
Nowhere to hide
And thanks to increasing regulatory requirements, companies can't even hope that customers simply won't find out about mishandled information (as was often the natural course of action in the past). Currently 21 US states have laws requiring that customers or employees be notified when protected personal information has been breached. Specific requirements vary by state, but this notification requirement is often waived if lost data was protected using encryption technologies. Notification legislation is also now under consideration at the federal level.
Jim Reavis, president of Reavis Consulting Group and editor of the CSOinformer newsletter, suggests a practical answer: "In my interviews with Chief Security Officers, encryption is by far the most commonly cited mitigation strategy for breach notification legislation. The idea is simple: If you have a mobile device, database, or desktop computer protected with encryption such as PGP, companies and law enforcement have more confidence that personal data on those systems is not subject to compromise."