Data breaches are costing companies more than ever as consumers shun those that have lost information, according to a new study.
Data breaches have proven to be a downside of the information age as personal and financial information face threats from hackers, careless employees and thieves.
The study by the, Ponemon Institute, is based on a survey of 43 US companies that lost data in 2008, ranging from 4,200 records to 113,000 records across 17 industry sectors.
The Institute, which studies privacy practices at companies and government organisations, found it cost companies on average US$202 for every data record lost in 2008.
That is up from $197 in 2007, $182 in 2006 and $138 in 2005, the first year the study was conducted.
These figures cover how much companies spend on detecting data losses, costs incurred notifying victims and hiring forensic experts and paying for free credit checks for affected consumers, among other factors.
The biggest cost, however, was loss of business. Of the $202, more than half, $139 represented the cost of lost business. This is up 69 percent over 2007.
"The growth in lost business costs demonstrates consumers do not take a breach of their trust and privacy lightly and have not become desensitised to the issue," the study said.
Health-care and financial-services companies that lost data suffered the worst backlash from consumers. The churn rate -- or the rate at which people change their provider -- was 6.5 percent for health care and 5.5 percent for financial services, the study found. Health-care organisations also face a higher-than-average cost per record lost, at $282.
In the US, 44 states have data loss notification laws, but the laws can vary widely. For example, some companies do not have to tell customers if data is scrambled with 128-bit encryption or if the breach was stopped before information was wrongly acquired.
Last month, the Identity Theft Resource Centre (ITRC) found that more than 35 million data records were breached in 2008 in the U.S., a record number. The majority of the lost data was neither encrypted nor protected by a password, the ITRC's report found.
ITRC counted 656 breaches in 2008 from a range of well-known U.S. companies and government entities. That was than 47 percent more incidents than the 446 breaches in 2007.
Information about the breaches was collected by tracking media reports and the disclosures companies are required to make by law. But the ITRC said it is likely many more than 35 million records were lost since some companies do not reveal how many records were compromised.