Report: U.S. Breach Costs Dwarf Other Industrialized Countries

The cost of a data breach is highest in the United States, according to a Ponemon Institute study that looked at 133 breaches in five industrialized countries.

U.S. breaches cost $6.75 million on average, or almost twice the next highest average expense, $3.44 million in Germany. In the U.K., France, and Australia, costs averaged $2.57 million, $2.53 million, and $1.83 million respectively.

High data breach costs appear to be associated with strict customer notification requirements, according to the study. The U.S. has strict notification laws in 46 states; Germany passed strict rules in July 2009. The three countries with lower breach costs lack such regulations.

The largest breach-related expense is lost business, according to the study. Forty-four percent of costs on average stem from customer turnover and new challenges in attracting customers. For each lost record, lost business costs companies $135 in the U.S., followed by Germany ($61) and the U.K. ($45).

Companies can mitigate that lost business by clearly communicating the cause and other issues surrounding a breach, says Ponemon analyst Mike Spinney. Organizations should also try to limit damage to customers. Paying for identity theft protection services, for example, can be particularly valuable in cases involving theft or criminal hacking, he says, as customer data is more likely to be used maliciously.

By having a chief information security officer or other executive in charge of incident management, breach costs can also be cut by 21 percent on average, the study found. Such leadership can create a more “effective, measured” response and help set a “unified strategy consistent with corporate goals,” Spinney says.

Stricter notification laws are under consideration in the U.K., according to reports. As more countries add such laws, breach-related expenses such as lost business will likely rise, according to the Ponemon study.