Press Release: Data Breaches Expensive for German Companies

Study establishes the average cost of a data breach in 2008

Offenbach, Germany and Traverse City, MI / 05 February 2009 – The market research body ‘Ponemon Institute’ has published the results of the ‘2008 Annual Study: Germany Cost of a Data Breach’. The first study of its kind in Germany, with reference to data from actual breaches, the study specifies the costs resulting from data breaches in German companies. The study established that data breaches have significant financial effects on companies, the average cost per data breach for an organisation being € 2.4 million, and each individual data record causing expenditure of € 112.

This 2008 Ponemon Institute benchmark study, sponsored by PGP Corporation, examines the costs incurred by 18 organizations after experiencing a data breach. Results were not hypothetical responses; they represent cost estimates for activities resulting from actual data loss incidents. Breaches included in the survey ranged from less than 3,750 records to more than 90,000 records from 10 different industry sectors.

Whilst comparable investigations concerning the USA have been carried out over the past four years, this is the first study concerning Germany to quantify with reference to objective measurement criteria the direct and indirect costs arising from a breach or theft of personal data and the consequential expenditure.

Overview of the most important results

• Total costs: a data breach is an expensive matter for any company, the average cost of a data breach is € 112 per data record affected. The total cost per data breach in the companies covered by this study was between € 267,000 and € 6.75 million, the average being over € 2.41 million.
• Sources of costs: At about € 36 per data record, the cost of detection & escalation and ex-post response all shared an average which is practically constant. Expenditure on notification averaged € 4 per endangered data record or € 80,000 per data breach. These comparatively low costs result from the insufficiently legislated obligation to publicise information in the event of a data breach in Germany.
• Mobile devices: Data breaches with mobile devices are more expensive than cases involving desktop computers. The investigation revealed that lost or stolen laptops comprised 28% of the cases covered, and the cost averaged € 123.63 per data record affected compared with € 106.85 for other data breaches.
• Expensive “first timer” experience: Companies experiencing a data breach for the first time suffered higher costs than ones that had already experienced such events. For those “first timers,” the cost per compromised data record was € 125.44, whilst companies with experience of a data breach only had to pay € 89.62 per data record. In 39% of the instances covered by the study, the companies involved suffered more than one major case of data loss or abuse.
• Customer turnover: The number of customers leaving companies as a result of data breach exceeded the normal fluctuation of 3.24%. One company participating in the study even suffered an 8% increase in customer loss. The consequences of unplanned customer breaches are lower revenues and increased marketing expenditure on acquisition of new customers.
• Consequences: 54% of companies are implementing initiatives for improved control of the data flow so as to prevent future data breaches. In this context 51% of the companies involved in the survey have extended their use of encryption technologies, the second most common technical measure being the use of solutions for security event management.

“These high costs are unsurprising, said Phil Dunkelberger,” president & CEO, PGP Corporation. “Germany has a strong tradition of privacy and data protection and therefore German companies, more than others, recognize the importance attached to safeguarding personal data. This survey shows that organisations that are not respectful of their customers’ expectations will be treated severely by the market.”

“From this first study into the cost of a data breach in Germany we can see that this is a critical issue,” said Dr. Larry Ponemon, chairman and founder of The Ponemon Institute. "As costs only continue to rise, companies must remain on guard or face losing valuable customers in this unpredictable economy."

On request we will be happy to send you the publication in question – ‘2008 Annual Study: Germany Cost of a Data Breach’ – which analyses the financial effects of data breaches in German companies. It can also be downloaded from: www.encryptionreports.com.

About PGP Corporation
PGP Corporation is a global leader in email and data encryption software for enterprise data protection. Based on a unified key management and policy infrastructure, the PGP® Encryption Platform offers the broadest set of integrated applications for enterprise data security. PGP® platform-enabled applications allow organizations to meet current needs and expand as security requirements evolve for email, laptops, desktops, instant messaging, smartphones, network storage, file transfers, automated processes, and backups.

PGP® solutions are used by more than 80,000 enterprises, businesses, and governments worldwide, including 95 percent of the Fortune® 100, 75 percent of the Fortune® Global 100, 87 percent of the German DAX Index, and 51 percent of the U.K. FTSE 100 Index. As a result, PGP Corporation has earned a global reputation for innovative, standards-based, and trusted solutions. PGP solutions help protect confidential information, secure customer data, achieve regulatory and audit compliance, and safeguard companies’ brands and reputations. Contact PGP Corporation at www.pgp.com

Media & Analyst Contacts for PGP Corporation:
North America:
Lauren Ames
PGP Corporation
+1 650 543 3678
lames@pgp.com

Tom Rice
Merritt Group
+1 703 856 2218
rice@merrittgrp.com

United Kingdom
Jacqui Depares / Richard Scarlett
Johnson King
+44 (0) 20 7401 7968
pgpteam@johnsonking.co.uk

Germany
Ingrid Daschner
Johnson King
+49 (0) 89 8940 8511
ingridd@johnsonking.de

Legal Notice Regarding Forward-Looking Statements
Some of the statements in this press release are forward-looking, including statements regarding the availability, plans, delivery, goals, development, expected features, expected benefits and competitive position of PGP products implementing or leveraging the PGP technologies. All references made to product feature enhancements, improvements in Platform support or additional functionality are subject to change at PGP Corporation’s sole discretion. All future descriptions of PGP technology and products are subject to availability only if PGP Corporation decides to build them and when PGP Corporation decides to make them commercially available. Actual results could differ materially from those expressed in any forward-looking statements. Risks and uncertainties that PGP Corporation faces that could cause results to differ materially include risks associated with any unforeseen technical difficulties or software errors related to the final development and launch of any of PGP Corporation’s products; any technological, regulatory, or standards changes in the security, encryption and authentications market which could make PGP Corporation’s products less competitive or require feature changes in these products; any slowdown in the adoption by businesses of encryption suites, secure email, Internet technologies or related standard. The forward-looking statements contained in this release are made as of the date hereof, and PGP Corporation does not assume any obligation to update such statements nor the reasons why actual results could differ materially from those projected in such statements.

PGP and the PGP logo are registered trademarks of PGP Corporation. Product and brand names used in the document may be trademarks or registered trademarks of their respective owners. Any such trademarks or registered trademarks are the sole property of their respective owners.