Video: Data breaches to cost more in the cloud

Remedying a data breach costs 40 percent more for businesses that store their data offshore, a study of Australian incidents has found.

Conducted by the Ponemon Institute and PGP Corporation, the inaugural Australian Cost of a Data Breach report aimed to quantify the costs associated with public and private sector data breaches.

Sixteen organisations participated in the study between September 2009 and January, all of which had experienced one or more data breach incidents during the past year.

The incidents that were reported involved between 3,300 and 65,000 compromised records, and were found to cost an average of $123 per compromised record.

Incidents that involved a third party -- such as a cloud computing or software-as-a-service (SaaS) provider -- had a higher average cost of $152 per record, compared to $109 for incidents that occurred and were handled in-house.

PGP CEO Phillip Dunkelberger told iTnews that organisations operating in the cloud incurred higher costs because of issues to do with territorial jurisdictions, and additional investigation and consulting fees.

"I think the cloud is coming in a big way, but the people promoting it have got to be careful they don't confuse basic data security with the legal and jurisdictional issues that come when you've got data spread around the world," he said.

"Fundamentally, clouds have a different legal and jurisdictional profile, especially when they cross national boundaries," he explained.

"You've got to deal with how do we do the research into what happened, how do we deal with two legal teams, multiple IT teams, and that's why third party breaches are much more costly than remedying it on your own."

Poneman and PGP have produced similar data breach reports in the U.S. for the past five years. The Australian report was said to stem from discussions with the Australian Law Reform Commission (ALRC), which in 2008 made 295 recommendations to the Government on privacy laws and practices.

One key ALRC recommendation was that organisations be required to notify the Privacy Commissioner and affected individuals of any serious data breaches, and civic penalties to apply for failure to report breaches.

The recommendations were expected to be implemented in stages, with stage one commencing by February 2010. However, the Government has yet to introduce relevant legislation.

Dunkelberger said PGP had discussed its findings with the offices of Prime Minister Kevin Rudd and Attorney General Robert McClelland, and received a "positive" response.

"The country that has done the best job at examining what they should do is Australia," he said. "Even though there's no action on it yet, you guys are trying to build a system that is fair to consumers and fair to businesses."

"They [governments] keep trying to craft the perfect legislation for an industry that's working at light speed ... you're never going to get the perfect balance," he said, noting that "something that works 80 percent of the time" would suffice.

Should data breach notification laws be mandated in Australia, Dunkelberger expected costs for businesses to increase as in the U.S., where costs associated with data breaches rose an estimated 40 percent during the past five years as notification practices and laws became more stringent.

Currently, each lost record cost $41 in lost business and churn, $41 to detect and report, $35 in customer support and $5 to notify customers affected by the breach.

Dunkelberger recommended legislation that provided safe harbour for businesses that complied with best practices, and fines for those caught breaking the law by not reporting major breaches.

"I don't think you need a big government bureaucracy running around being the data breach police," he said, explaining that notification laws would place the onus on businesses to self-report.

"I think that if you've got a self-reporting regime saying the fines are doubled or tripled if you don't do this and people find actionable data, then I think that will be interesting."

The report found malicious attacks and botnets to account for 44 percent of data breaches. 31 percent of incidents were attributed to system glitches and the remaining 25 percent to negligence.

Thirty-one percent of all cases involved mistakes by third parties such as cloud computing or SaaS providers.

Meanwhile, a market appeared to be emerging for businesses that specialised in providing outsourced data breach remedies, including public relations and legal services.

The report found data breach incidents to cost 25 percent more when the remedy was managed by an external consultant or firm.