Revealed: The full cost of a corporate data breach

Data breaches cost businesses nearly £50 for each customer record lost, with one UK company revealing the cost of a recent data breach hit £3.8m.

Research sponsored by PGP and Symantec examined the costs incurred by 21 UK businesses after they experienced a data breach.

The breaches included in the survey ranged from less than 2,500 records to more than 125,000 records, and the average costs of a data breach reached £47 for every record compromised. Costs for financial services firms were higher, which the report said reflected that customers of these organisations have high expectations of trust and privacy - so banks have more to lose from a data breach.

silicon.com's Full Disclosure campaign - what we are asking for...

silicon.com wants the government to review its data protection legislation and improve the reporting of information security breaches in the public and private sectors.

We are calling for greater public debate and for the government to consider legislation that would require organisations that suffer information security breaches to alert their customers if there is a chance the breach has put individuals' sensitive personal data at risk.

We want to hear your views about this campaign and the issues it raises. Make your voice heard by leaving a Reader Comment below or emailing us at editorial@silicon.com.

The average total cost per company was more than £1.4m per breach and ranged from £84,000 to almost £3.8m. The cost of lost business was the most significant component of data breach costs, averaging more than £496,000, or £17 per record compromised - 36 per cent of the costs in the study.

Because companies are not legally required to notify individuals affected by a data breach, notification costs averaged only £1 per record, while detection and other activities following a breach both cost £15 per record.

Around a third of the data breaches in the sample were due to lost or stolen laptops or other devices such as USB flash drives.

Breaches by third-party organisations such as outsourcers, contractors and business partners were reported by 38 per cent of respondents, and these breaches were also more expensive than breaches by the organisation itself, averaging £59 per record compared to £42 per record.

Dealing with the security breach and notifying the affected customers is less expensive than the blow to a company's confidence and the customer churn, said PGP president and CEO Phil Dunkelberger. "People vote with their feet and move their bank accounts of habits for shopping," he said.

A number of countries - and US states - have put in place legislation aimed at making organisations protect their customers' data more carefully. And silicon.com's Full Disclosure campaign has been calling for a rethink of the UK's data protection laws to make it clearer to companies how they should act when faced with a data breach.

Dunkelberger said the network of different laws around the globe is becoming a headache for large organisations. He said: "The big companies are the companies most affected because they have to be compliant in Japan, in the UK and in the US in 40 different ways so the cost of compliance globally is rising."

He added: "The real starting point is how do we help businesses apply this globally? Then it's very easy for them to drive this down in their supply chain."

Dunkelberger said there should be 'safe harbours' such as there are in the Californian data breaches law, where companies that have taken adequate measures (such as encrypting data) are not punished for losing data. He also said these laws should cover government as well as the private sector. He said: "We're remiss in calling for stronger sanctions if we don't offer companies 'outs' like safe harbours - and get the governments involved too."