Security breaches with consumer data cost marketers about $14 million per incident, and the loss of at least 20% of affected customers— 2.5% of their total customer base.
One study from data-encryption firm PGP Corp. and The Ponemon Institute, a data management research group, found that 20% of consumers immediately closed their accounts with the marketer that lost their data; another 40% of consumers considered dropping the marketer.
A companion study from the two organizations put a dollar figure on marketers’ lost business and costs incurred with a security breach, including internal investigations, outside legal defense fees, notification and call center support, p.r. and investor relations and lost employee productivity.
The first study, National Survey on Data Security Breach Notification, surveyed 9,000 consumers; 12% had been notified within the last year of a security breach involving their data (that extrapolates to 23 million U.S. consumers among the general population).
Twenty percent of survey respondents said they terminated their accounts when they got notice of a breach; another 40% were considering it.
The second study, Lost Customer Information: What Does a Data Breach Cost Companies? analyzed 14 incidents that compromised a total of 1.4 million data records. Recovery costs averaged $140 per lost customer record; marketers also lost an average 2.5% of all customers because of a breach— as many as 11% of customers.
“The increasing incidence of reporting of lost private personal records poses a serious threat to consumer confidence— to vendor profits,” said PGP Business Advisory Board member Esther Dyson in a statement. “Companies are beginning to understand the effect carelessness with data can have on their reputations and their bottom line.”
Right now, 21 states have laws requiring marketers to notify customers or employees when security of personal data has been breached. The federal legislature is considering at least five bills on data security and notification. Two are in committee: The Senate’s “Personal Data Privacy and Security Act of 2005” (S. 1789) and the House’s “Consumer Notification and Financial Data Protection Act of 2005” (H.R. 3374) and Consumer Access Rights Defense Act (CARD) of 2005 (H.R. 3501). A fourth, Notification of Risk to Personal Data Act (S. 1326), is on the Senate’s general calendar. (The fifth bill proposes an amendment to the Fair Credit Reporting Act.)
