Study Counts the Cost of Data Breaches
July 30, 2007 Timothy Prickett Morgan
Compliance regulations are a big pain in the neck, but putting policies and practices in place that control who has access to what information and under what conditions is not just a requirement of many laws, it is also a good idea in an increasingly networked and computerized world. But often, companies look at compliance measures as a cost, much as they did when they considered mainframes and minicomputers decades ago. But the IT Policy Compliance Group wants companies to think of compliance efforts as a means of preserving corporate reputations and revenues.
In a new report entitled Why Compliance Pays: Reputations and Revenues at Risk, which you can download here, the group has tried to hang some numbers on the costs of data breaches. Based on Attrition‘s Data Loss Database, in the past two years, 280 companies based in the United States have had publicly exposed incidents of data theft or loss, and they reckon that the numbers will only increase because breaches will be exposed as consumers and government regulators are watching more closely. Based on benchmark metrics derived by the group, companies that are outed for losing customer data or being breached in some way by hackers expect to see an 8 percent decline in revenue, and 8 percent hit on their stock price, and expenses in the range of $100 per lost customer record. Those are pretty big numbers, obviously, even if they are very broad averages.
The study also says that if a company is a compliance laggard, it can expect some sort of data loss that is publicly disclosed every three years, while those who are on top of their compliance game have cut the probability of a data loss down to once every 42 years. The group’s benchmarks also show that those who are the best at compliance are the same companies that have the fewest data losses and the lowest number of disruptions in IT system downtime.