According to the annual Ponemon Institute survey report released March 8, 2011 in 2010, U.S. companies affected by data breaches incurred an average cost of $7.2 million per incident. (In comparison, in 2009, companies reported an average cost of $6.75 million). The Ponemon survey identified a number of other interesting trends:
- Companies are responding to data breaches and notifying individuals more quickly than in years past, but that corresponds to higher costs for companies.
- There are fewer breaches due to systems failures, lost or stolen devices and third-party mistakes, but more than a third of all breaches involve malicious or criminal attacks.
- The drop in breaches from systems failures may be related to increasing efforts on the part of companies to prevent and mitigate breaches through new and increased use of security technologies, such as encryption, and compliance with security policies. Additionally, more organizations are putting Chief Information Security Officers in charge of breach response.
Parallel with industry efforts to respond to data breaches, a number of state legislatures — including Colorado, Hawaii, and Illinois — have been reviewing and considering amendments to their breach notice laws. We will continue to monitor and provide updates on those developments.