Third Annual UK Ponemon Study Shows the Cost of a Data Breach Continues to Increase

Each lost record cost firms 64 pounds Sterling in 2009; 69 pounds for private sector, 59 pounds for public organisations

Jan 28, 2010, 08:00 ET from PGP Corporation

LONDON and TRAVERSE CITY, Mich., Jan. 28 /PRNewswire/ -- Privacy and information management research firm Ponemon Institute, together with PGP Corporation, a global leader in enterprise data protection, today announced the results of the third annual study into the costs incurred by UK organisations after experiencing a data breach.  The "2009 Annual Study: UK Cost of a Data Breach" report, compiled by the Ponemon Institute and sponsored by PGP Corporation, found that each lost customer record cost on average 64 pounds Sterling in 2009, a seven percent increase on 2008's figure of 60 pounds.  In 2007 the cost per lost record stood at just 47 pounds.  Lost business due to reduced consumer trust was the main contributor to this expense, making up 29 pounds per record.

The 2009 study is the first report of its kind to quantify the costs associated with both public and private sector breaches.  The research showed that UK public organisations faced average costs of 59 pounds per lost record.  While the financial impact of lost business is substantially lower for public bodies than for commercial firms, the costs associated with detecting and escalating a breach, with notifying citizens and dealing with subsequent enquiries, are all substantially higher in the public sector, and are the principle contributors to the overall costs. In comparison, the cost per lost record in the commercial sector stood at 69 pounds per record.

"This third annual study shows that the financial impact of data breaches is hitting UK organisations harder and harder each year," said Dr. Larry Ponemon, chairman and founder of The Ponemon Institute.  "In the commercial sector the costs associated with customer churn and attracting new customers are particularly acute, but our research suggests these firms are getting better at detection, remediation and customer communications.  However, these efficiencies aren't shared in the public sector, where the direct costs of a data breach are significantly higher.  For example, the cost of notifying users that their records might have been compromised is more than four times higher for public organisations than for private firms."

The report focuses on the cost of activities resulting from real life data loss incidents occurring between May 2009 and January 2010.  A total of 33 UK organisations – 25 from the private sector and eight from the public sector – participated in the research, revealing breach events of between 5,200 and 60,000 personally identifiable information records.  These breaches cost between 365k pounds and 3.92 million pounds to manage, at an average of 1.68 million pounds.

A copy of the study, including a full breakdown of the various direct and indirect costs impacting organisations, is available from PGP Corporation at:

Factors impacting data breach costs

The 2009 study shows that the root cause of a data loss incident, and an organisation's reaction to the loss, directly affected the overall cost of the breach.  When a third party was responsible for the loss, per record costs climbed to an average of 81 pounds.  Organisations which fell victim to a malicious or criminal attack also sustained higher costs, with per capita costs rising to 76 pounds.  The financial impact was also greater for those organisations experiencing their first ever breach, or suffering an incident as a result of a lost or stolen laptop.

Conversely, there were several factors that proved to reduce the overall financial impact of a data breach.  Organisations which responded quickly to a loss incident, notifying customers of the breach with one month of detection, incurred costs of just 56 pounds per record, 8 pounds lower than the overall average.  If the chief information security officer, or equivalent, took personal responsibility for managing the incident, costs dropped to 59 pounds per victim.  Firms employing external consultants to assist in the management of the breach saw per record costs fall to an average of 60 pounds.

Post data breach responses

The organisations participating in the research identified encryption and data loss prevention (DLP) solutions as the top two technology responses following a data breach.  In addition, manual control practices and training programmes were cited as the top two implemented manual processes.  This suggests that UK organisations understand that an enterprise data protection strategy that is supported and understood by all employees must be implemented to properly safeguard information.

"There is positive news from this study - organisations that proactively protect their data suffer less when hit by a data breach," said Phillip Dunkelberger, president and CEO of PGP Corporation. "While the Information Commissioner is poised to introduce fines of up to half a million pounds for non-compliance with the Data Protection Act, organisations that employ a strategic approach that combines strong security leadership, well defined operational procedures and integrated technology solutions will reduce their exposure to costly loss incidents."

About the Ponemon Institute

The Ponemon Institute© is dedicated to advancing responsible information and privacy management practices in business and government.  To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries.

About PGP Corporation

PGP Corporation is a global leader in email and data encryption software for enterprise data protection. Based on a unified key management and policy infrastructure, the PGP® Encryption Platform offers the broadest set of integrated applications for enterprise data security. PGP® platform-enabled applications allow organizations to meet current needs and expand as security requirements evolve for email, laptops, desktops, instant messaging, smartphones, network storage, file transfers, automated processes, and backups.

PGP® solutions are used by more than 100,000 enterprises, businesses, and governments worldwide, including 95 percent of the Fortune® 100, 75 percent of the Fortune® Global 100, 87 percent of the German DAX Index, and 51 percent of the U.K. FTSE 100 Index. As a result, PGP Corporation has earned a global reputation for innovative, standards-based, and trusted solutions. PGP solutions help protect confidential information, secure customer data, achieve regulatory and audit compliance, and safeguard companies' brands and reputations. Contact PGP Corporation at

Media Contacts Ponemon Institute:

Mike Spinney


Media & Analyst Contacts for PGP Corporation:

United Kingdom:

Jacqui Depares

Johnson King

+44 (0) 20 7401 7968

North America:

Tom Rice

Merritt Group

+1 703 856 2218


Ingrid Daschner

Johnson King

+49 (0) 89 8940 8511

Legal Notice Regarding Forward-Looking Statements

Some of the statements in this press release are forward-looking, including statements regarding the availability, plans, delivery, goals, development, expected features, expected benefits and competitive position of PGP products implementing or leveraging the PGP technologies. All references made to product feature enhancements, improvements in Platform support or additional functionality are subject to change at PGP Corporation's sole discretion. All future descriptions of PGP technology and products are subject to availability only if PGP Corporation decides to build them and when PGP Corporation decides to make them commercially available. Actual results could differ materially from those expressed in any forward-looking statements. Risks and uncertainties that PGP Corporation faces that could cause results to differ materially include risks associated with any unforeseen technical difficulties or software errors related to the final development and launch of any of PGP Corporation's products; any technological, regulatory, or standards changes in the security, encryption and authentications market which could make PGP Corporation's products less competitive or require feature changes in these products; any slowdown in the adoption by businesses of encryption suites, secure email, Internet technologies or related standard. The forward-looking statements contained in this release are made as of the date hereof, and PGP Corporation does not assume any obligation to update such statements nor the reasons why actual results could differ materially from those projected in such statements.

PGP and the PGP logo are registered trademarks of PGP Corporation. Product and brand names used in the document may be trademarks or registered trademarks of their respective owners. Any such trademarks or registered trademarks are the sole property of their respective owners.

SOURCE PGP Corporation