More than one third of the 45 data breach cases studied by the Ponemon Institute in 2009 involved lost or stolen laptop computers or other mobile data-bearing devices.
Data breaches concerning lost, missing or stolen mobile devices are more expensive than other incidents, according to the Ponemon Institute's Fifth Annual U.S. Cost Of A Data Breach Study, which is conducted each year in partnership with PGP Corp., an email and data encryption software provider.
The per-victim cost for a data breach involving a lost or stolen laptop was $225 in 2009, 10% higher than the average total cost of a data breach and 5% higher than the cost of a breach caused by a malicious attack.
Malicious and criminal enterprise data breaches also are on the rise, according to the study.
Cause Of A Data Breach, 2009
| Cause |
% Respondents |
| Third-party flub |
42% |
| Negligence |
40% |
| Lost or stolen laptop/mobile device |
36% |
| Malicious or criminal attack |
24% |
Source: Ponemon Institute, "Fifth Annual U.S. Cost Of A Data Breach Study," 2009.
Twenty four percent of all cases in the 2009 study, which was released Jan. 25, 2010, involved a malicious or criminal attack that resulted in the loss or theft of personal information; such attacks accounted for 12% of data breaches in 2008.
In addition, the 2009 cost per compromised record of data breaches involving a malicious or criminal act averaged $215, 40% higher than breaches involving a negligent insider ($154) and 30% higher than breaches from system glitches ($166).
In 2009, the nature of malicious breaches has also changed significantly, according to Dr. Larry Ponemon, Chairman & Founder of the Ponemon Institute. "This year that category morphed from common fraud of someone doing social engineering to electronic Botnet data stealing malware events. There have been a number of cases involved data stealing malware that infiltrated networks and was eventually discovered by the company. A lot of those threats have long-reaching effects. My gut feel is that this is a new issue and it's going to drive future cost of data breach studies."
He adds, "Malware is not the same old malware we were dealing with four or five years ago. What we see now is a new breed, and it's a type that bad guys are using to get inside and start surgically looking for different types of data, things such as source codes and intellectual property. Some of that seems to be much more sophisticated and stealthy to identify and detect using anti-virus and anti-malware tools."
Ponemon's research shows that malicious or criminal data breaches are much more expensive for corporations than incidents resulting from negligence.
Data breaches from malicious attacks and botnets doubled from 2008 to 2009 and cost corporations substantially more than those caused by human negligence or IT system glitches.
Average Cost Of A Data Breach
The study examines the costs incurred by 45 organizations after experiencing a data breach. Results are not hypothetical responses; they represent cost estimates for activities resulting from actual data loss incidents.
Breaches included in the survey ranged from fewer than 2,500 records to more than 101,000 records from 15 different industry sectors.
The total cost of a data breach rose slightly to $204 from $202 per compromised record. According to participants in the 2009 study, data breaches cost their companies an average of $204 per compromised record -- of which $144 pertains to indirect cost including abnormal turnover or churn of existing and future customers.1
The 2008 average per victim cost was $202, with an average indirect cost at $152 per breach victim. In 2009, direct costs rose to $60 from $50 in 2008.
The average organizational cost of a data breach increased from to $6.65 million in 2008 to $6.75 million in 2009.
The most expensive data breach event included in the 2009 study cost a company nearly $31 million to resolve.
The least expensive total cost of data breach for a company included in the 2009 study was $750,000.
The magnitude of the breach events studied ranged from approximately 5,000 to approximately 101,000 lost or stolen records.
As in prior years, data breach cost appears to be linearly related to the size or magnitude of the breach event.
1 For purposes of comparability across different breach incidents, data breach cost is measured on a per capita or compromised record basis. | 
