Press Releases

Ponemon Study Shows Data Breach Costs Continue to Rise

Lost Business Costs Up 30 Percent from 2006; Notification Costs Drop

Traverse City, Mich. – November 28, 2007 – Privacy and information management research firm the Ponemon Institute today announced the results of the 2007 Annual Study: Cost of a Data Breach. As companies grapple with the challenge of protecting their customers' private data, the new research shows that the cost of failing to do so is on the rise. According to the study, data breach incidents cost companies $197 per compromised customer record in 2007, compared to $182 in 2006. Lost business opportunity, including losses associated with customer churn and acquisition, represented the most significant component of the cost increase, rising from $98 in 2006 to $128 in 2007 — a 30 percent increase.

The 2007 Annual Study: Cost of a Data Breach was sponsored by email and data encryption software leader PGP Corporation and data loss prevention solution provider Vontu, Inc. Initiated in 2005, the study examines the financial consequences of data breaches involving consumers' personally identifiable information. According to the Privacy Rights Clearinghouse, data loss incidents involving more than 215 million individual records have occurred since January 2005. The report released today focuses on the results of actual data breaches in 35 U.S. organizations across industries ranging from financial services to retail, health care, and software. A report detailing findings in U.K. organizations will be released in January 2008.

The annual Cost of a Data Breach study tracks a wide range of cost factors, including legal, investigative, and administrative expenses as well as customer defections, opportunity loss, reputation management, and costs associated with customer support such as information hotlines and credit monitoring subscriptions. Key findings include the following:

  • Average total per-incident costs in 2007 were $6.3 million, compared to an average per-incident cost of $4.8 million in 2006.
  • The cost of lost business increased by 30 percent to an average of $4.1 million in 2007, approximately two-thirds of the average total cost per incident.
  • Breaches by third-party organizations such as outsourcers, contractors, consultants, and business partners were reported by 40 percent of respondents, up from 29 percent in 2006. Breaches by third parties were also more costly than breaches by the enterprise itself, averaging $231 compared to $171 per record.
  • Notification costs fell 40 percent, decreasing from $25 per customer in 2006 to $15 in 2007, suggesting a more measured, less reactive breach response.
  • The following six technology measures (in rank order) were enacted after a data breach:
    1. Expanded use of encryption
    2. Data loss prevention solutions
    3. Identity and access management solutions
    4. Endpoint security controls
    5. Security event management solutions
    6. Perimeter controls

"The data from 2007 suggests that although companies are responding to data breaches more efficiently, consumers seem to be less forgiving when their personal information is compromised," said Dr. Larry Ponemon, chairman and founder of The Ponemon Institute. "The bigger problem, however, remains the persistent underlying issue of data security. Of course, the easiest way for companies to avoid the costs associated with a data breach would be to avoid a breach in the first place."

"Compliance requirements, new notification laws, and the growing list of breaches have made organizations aware they need a different approach to data security," said Phillip Dunkelberger, president and CEO of PGP Corporation. "The 2007 Ponemon study shows that erecting another firewall doesn't work anymore because confidential data isn't just inside the company. A single product and a bunch of tactics aren't enough, either. Today, protecting data requires a comprehensive, long-term strategy that combines best-in-class solutions from industry leaders like Vontu to identify confidential data at risk and PGP Corporation to encrypt that data via a unified platform without disrupting the business."

"The fact that more than a third of breaches result from data being shared with third parties in the normal course of business is a clear signal that organizations should examine how they are sharing their customers' data with outsourcers, vendors, and partners," said Steve Roop, vice president of products and marketing, Vontu. "Our customers are well aware of this risk, which is why they are investing in enterprise data protection solutions like encryption and data loss prevention from companies such as PGP Corporation and Vontu."

The 2007 Annual Study: Cost of a Data Breach was derived from a detailed analysis of 35 data breach incidents involving fewer than 4,000 to more than 125,000 records. The study found that there is a positive correlation between the number of records lost and the cost of an incident. Companies analyzed were from 16 different industries, including communications, consumer goods, education, entertainment, financial services, gaming, health care, hospitality, internet, manufacturing, marketing, media, retail, services, technology, and transportation. Copies of the study are available through PGP Corporation, Vontu, and The Ponemon Institute.

A separate report recently issued by Vontu and The Ponemon Institute, the 2007 Consumer Survey on Data Security, showed that 62 percent of respondents have been notified that their confidential data has been lost, and 84 percent of those respondents reported increased concern or anxiety due to data loss events. "Our research clearly shows that data breaches are affecting consumers' trust in the organizations with which they share their data and, ultimately, their buying behavior," said Dr. Ponemon.

About the Ponemon Institute

The Ponemon Institute© is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries.

About PGP Corporation

PGP Corporation is a global leader in email and data encryption software for enterprise data protection. Based on a unified key management and policy infrastructure, the PGP® Encryption Platform offers the broadest set of integrated applications for enterprise data security. PGP® platform-enabled applications allow organizations to meet current needs and expand as security requirements evolve for email, laptops, desktops, instant messaging, PDAs, network storage, file transfers, automated processes, and backups.

PGP® solutions are used by more than 80,000 enterprises, businesses, and governments worldwide, including 95 percent of the Fortune® 100, 75 percent of the Fortune® Global 100, 87 percent of the German DAX index, and 51 percent of the U.K. FTSE 100 Index. As a result, PGP Corporation has earned a global reputation for innovative, standards-based, and trusted solutions. PGP solutions help protect confidential information, secure customer data, achieve regulatory and audit compliance, and safeguard companies' brands and reputations. Contact PGP Corporation at or +1 650 319 9000.

About Vontu

Vontu is the leading provider of Data Loss Prevention solutions that combine endpoint and network-based technology to accurately detect and automatically protect confidential data wherever it is stored or used. By reducing the risk of data loss, Vontu helps organizations ensure public confidence, demonstrate compliance and maintain competitive advantage. Vontu customers include many of the world's largest and most data-driven enterprises and government agencies. Vontu has received numerous awards, including IDG's InfoWorld 2007 Technology of the Year Award for "Best Data Leak Prevention," as well as SC Magazine's 2006 U.S. Excellence Award for "Best Enterprise Security Solution" and Global Award for "Best New Security Solution." For more information, please visit

Press Contacts:

Mike Spinney
Ponemon Institute

Kit Robinson
Vontu, Inc.

Tom Rice, for PGP Corporation
Merritt Group

PGP and the PGP logo are registered trademarks of PGP Corporation. Product and brand names used in the document may be trademarks or registered trademarks of their respective owners. Any such trademarks or registered trademarks are the sole property of their respective owners.