Results Distributed by PGP Corporation Show Substantial Impact from Consumer Data Breaches Involving 1.4 Million Compromised Records and $200 Million in Costs
Two new surveys find customers are actively punishing companies that lose their confidential and private information. Conducted by the Ponemon Institute© and distributed by PGP Corporation, the surveys find that almost 20 percent of customers immediately terminated their accounts with vendors that lost their information, and an additional 40 percent considered termination. Companies participating in a parallel study estimated incurring an average cost of $14 million per breach incident, with costs ranging as high as $50 million.
The survey – “Lost Customer Information: What Does a Data Breach Cost Companies?” – is the first of its kind to report data from actual cases of lost customer data and the associated costs incurred to recover. Covering 14 separate incidents, it represents 1.4 million compromised data records and almost $200 million in total costs. Total cost estimates include the actual cost of internal investigations, outside legal defense fees, notification and call center costs, PR and investor relations efforts, discounted services offered, lost employee productivity, and the effect of lost customers.
The related survey – “National Survey on Data Security Breach Notification” – reports results from 9,000 consumers, 12 percent of whom had received notifications of information mishandling. When extrapolated to the U.S. population, an estimated 23 million consumers have received such notices. Results showed 60 percent had terminated or were considering terminating their accounts.
“The increasing incidence of reporting of lost private personal records poses a serious threat to consumer confidence – and to vendor profits,” said Esther Dyson, editor of Release 1.0 for CNET Networks and a member of the PGP Business Advisory Board. “Yet it is the right thing to do because it is forcing companies to clean up their acts. Companies are beginning to understand the effect carelessness with data can have on their reputations and their bottom line.”
Top-level corporate survey findings:
• Average additional spending resulting from a single data breach was $5 million
• Reported costs ranged as high as $50 million for an insurance company
• Average total recovery costs were $140 per lost customer record
• Average loss was 2.5 percent of all customers, ranging as high as 11 percent
Top-level consumer survey findings:
• Nearly 12 percent of consumers received a breach notification in the last year
• This figure suggests an estimated 23 million adults have received such notifications
• Almost 20 percent immediately terminated their accounts
• An additional 40 percent are considering account termination.
“Great companies know that customer acquisition and retention are the life-blood of long-term corporate success,” said Andrew Krcik, vice president of marketing for PGP Corporation. “A brand reputation built with hundreds of millions of dollars over decades can be destroyed by careless handling of private customer information. When the lifetime value of customers is so high and new customer acquisition so difficult, why destroy customer confidence when practical safeguards are available to prevent such an event?”
Corporations no longer have the option of hoping customers will not find out about mishandled information. Currently, 21 U.S. states have laws requiring that customers or employees be notified when protected personal information has been breached. Specific requirements vary by state, but this notification requirement is often waived if lost data was protected using encryption technologies. Notification legislation is also under consideration at the federal level.
“In my interviews with Chief Security Officers, encryption is by far the most commonly cited mitigation strategy for breach notification legislation,” said Jim Reavis, president of Reavis Consulting Group and editor of the CSOinformer newsletter. “The idea is simple: If you have a mobile device, database, or desktop computer protected with encryption from a proven vendor like PGP Corporation, companies and law enforcement have confidence that personal data on those systems is not subject to compromise.”
PGP Corporation has developed the PGP® Universal encryption platform to protect organizations from data breaches, regulatory notification requirements, and resulting costs. It allows IT organizations to provide data security to all internal departments and external partners that handle confidential information. Its proxy-based architecture allows for central management, with automatic operation, email infrastructure transparency, and elimination of laptop/desktop, gateway/server, and mobile/wireless encryption silos. It helps entities meet their business unit requirements for customer privacy, competitive protection, supply chain integrity, and “brand insurance” against public breaches – without disrupting users.
Once deployed, the PGP Universal platform is capable of provisioning 10 encryption applications in a combination of gateway and end-point locations. This “deploy-once, enable over time” approach allows organizations to address their greatest risks today and grow into a comprehensive security solution over time. Current PGP encryption suite applications include disk encryption, email encryption, digital signatures, secure data deletion, instant messaging encryption, Self-Decrypting Archives (SDAs), batch process/FTP encryption, secure tape/archive encryption, encrypted email delivery to all recipients, and an encryption Software Development Kit (SDK) for customized, internal applications.
About PGP Corporation
The global customer standard for encryption and digital-signature solutions, PGP Corporation (pgp.com) develops, markets, and supports an integrated data security suite used by more than 30,000 enterprises, businesses, and governments worldwide, including 84 percent of the Fortune® 100, 66 percent of the Fortune® Global 100, and thousands of individuals and cryptography experts. During the past 10 years, PGP® technology has earned a global reputation for innovative, standards-based, trusted solutions. Contact PGP Corporation +1-650-319-9000.