CEOs should become more involved in breach preparedness and response because of the financial consequences a breach could have on the enterprise, says Ponemon Institute Chairman Larry Ponemon.

The institute recently issued its 2014 Cost of Data Breach Study, conducted for IBM, which shows that the cost of breaches, in most countries, is on the rise, a matter that should be of concern to top management, Ponemon says in an interview with Information Security Media Group (transcript below).

Ponemon laments that CEOs generally don't get involved with breaches unless it's a massive, one like the attack on Target's point-of-sale system.

"Data breaches of 10,000 to 100,000 records are really significant events for the people who are, unfortunately, victims, but a lot of CEOs would say, 'Ah, that's small change,' relative to other things they have to worry about," Ponemon says. "And that's a mistake. Obviously, you want CEOs to be involved, at least to some extent, on dealing with the external consequences of the data breach."

In the interview, Ponemon explains:

Why healthcare tops the list of industries with the highest per-capita breach cost. How the lack of a national breach notification law in the United States drives up costs for American enterprises (see Why U.S. Breach Notice Bill Won't Pass). Why organizations that provide early data breach notification to customers and stakeholders experience higher costs.

Ponemon in 2002 founded the Ponemon Institute, a research think tank dedicated to advancing privacy and data protection practices. He also is an adjunct professor for ethics and privacy at Carnegie Mellon University's CIO Institute.

ERIC CHABROW: Any new surprises found from this year's breach survey?

LARRY PONEMON: Really nothing that jumps out at you. It just shows that the cost of a data breach is still pretty significant. If you read between the lines, the cost has steadily increased. It's not an easy issue; we heard that the CEO of Target stepped down because of the data breach. There are real serious consequences to companies that are dealing with data loss or data theft.

Costs Rising

CHABROW: Why do you suspect costs are going up?

PONEMON: Fundamentally, a data breach is a bad thing. Obviously when you lose data and it gets into the hands of a cybercriminal, it could be devastating, but there is also reputational impact. We measure that by the churn or turnover of customers that result from the notification of a data breach. This churn, which may be a small percentage when you look at the loss of a lifetime value of an individual a customer, could be an enormous loss. Even small percentages of churn are abnormal churn translated into big costs. I think people and organizations don't realize it's a trust factor.

When someone, an organization you do business with like your bank or healthcare provider, loses your data, or, even worse than that, [makes you] a victim of a cybercrime, you realize they didn't have the right security protocols in place. That is a meltdown. It is a trust relationship that basically goes sour pretty quickly, and we notice that [in] entrusted industries like financial services, churn rate tends to be a lot higher than in retail organizations.

CEO's Responsibility

CHABROW: What does the Target CEO leaving say about the responsibilities of CEOs and boards when it comes to data breaches?