Rising cost is not all bad news, however. Detection and escalation costs rose dramatically, indicating U.S. organizations are being more proactive in dealing with data security, according to Larry Ponemon, chairman and founder of the Ponemon Institute. Organizations in the United States have invested far less than their European counterparts, he says, and the survey may indicate a trend toward catching up. Spending on detection and escalation was up 72 percent per breach in the United States, from an average $264,000 to $455,000 in 2010. In addition, organizations are spending more resources on contacting and helping victims, $1.7 million, up from $1.5 million per breach.
The study was conducted through detailed surveys, including interviews, of 51 organizations in 15 verticals. The surveys were conducted over six months using multiple resources within each organization (as opposed to surveying a single individual). The breach sizes ranged from 4,200 to 105,000 lost or stolen records. To avoid skewing the overall results, Ponemon did not survey companies with huge breaches of millions of records.
The survey results fly in the face of the common assumption that rapid notification of individual breach victims is a good thing. In fact, organizations that responded quickly (43 percent of the respondents notified victims with 30 days) spent a lot more money, much of it unnecessary, than those that took their time. Though regulations generally favor notification within 30 days, the survey indicates that quick action may be bad business.
"A lot of organizations that notify data breach victims too quickly incur a larger cost, and the reason is, quite frankly, there's an over-reporting phenomenon," says Ponemon. People who are notified when their records were not actually breached become angry and are more likely to stop doing business with the company, ultimately increasing the cost of the breach.