(January 27, 2010) The cost of data breaches rose slightly last year, but breaches resulting from computer hacking incurred by far the highest losses, according to a new report from privacy and data-security research firm Ponemon Institute LLC.

The average cost per compromised customer record rose to $204 in 2009 from $202 in 2008 and $138 as recently as 2005, according to Traverse City, Mich.-based Ponemon’s “2009 Annual Study: Cost of a Data Breach.” Some 24% of breaches were caused by placement of so-called malware or botnets or related criminal attacks on computer systems, double the 12% rate for such attacks in 2008. Forty percent of 2009’s breaches resulted from negligence, and 36% come from system glitches, according to the study.

The study, sponsored by Menlo Park, Calif.-based data-protection technology provider PGP Corp., is based on the actual breach experiences of 45 companies in 15 industry sectors. The firms agreed to complete detailed surveys about their breaches, including discovery, response, and effects on their businesses. Respondents included eight financial firms, eight retailers, five services firms, and four technology companies. None was identified specifically. Breaches affected 5,000 to more than 101,000 records. Forty-two percent of the breaches in the 2009 study involved mistakes by outsourcers.

Of the $204 overall loss per record, some $60 came from direct costs to find and fix the breach and resolve problems such as legal matters. Ponemon says direct costs rose in 2009 by $10 because of higher legal expenses. The other $144 consisted of indirect costs, including abnormal customer turnover. Indirect costs declined an estimated 5% in 2009 but breach-related customer churn still accounts for 40% of incident expenses, the report says.

Malicious attacks are the most costly, with resulting expenses of $215 per compromised record, the study says. That’s 39% higher than the $154 per-record breach expenses from negligence. Breaches from system glitches cost an average of $166 per compromised record.

Citing figures from the San Diego-based Identity Theft Resource Center, Ponemon noted that the number of reported breaches fell to 498 in 2009 from 657 in 2008. But the average cost per incident rose to $6.75 million last year from $6.65 million the year before.

Merchant acquirer Heartland Payment Systems Inc., which in January 2009 announced a data breach that a federal prosecutor later said may have compromised 130 million cards, apparently the biggest ever, was not part of the study. But Ponemon Institute chairman and founder Larry Ponemon tells Digital Transactions News by e-mail that, “For merchant processors, or any company … collecting, managing, and securing sensitive consumer information, the number-one lesson is, poor information security comes at a steep price. Given the rising dollar costs and the cost to reputation, we believe that more and more companies will begin to embrace security as a strategic competitive differentiator, which will ultimately make the cost that much greater in terms of lost business for those organizations that fail to address this issue seriously.”

Indeed, Heartland is in the midst of a big end-to-end encryption project that it says will better protect data. Another large acquirer, RBS WorldPay, which itself suffered a sizable data breach, and various other payments-industry companies also are rolling out end-to-end encryption or related technologies (Digital Transactions News, Aug. 11, 2009).

Ponemon, however, says true security involves more than just technology. “We believe strongly in encryption as critical component of a security technology program, but no single technology is effective without a sound, comprehensive plan that addresses an organization’s particular data-security needs,” he says. “Policy development, training and education, and constant awareness must complement any investment in technology. Every employee and every business partner must be aware of their role in the security chain, as well as the consequences of failure.”