Businesses are no more immune to disaster than individuals are. That’s why organizations opt for insurance such as property, workers compensation and business disruption coverage. But, one of the most damaging events a business can experience is the loss or theft of sensitive information. This may be proprietary information about the organization itself, or personal details about its customers. Either way, a data breach can cause millions of dollars in damages.

It’s no wonder then, that businesses are talking more about data breach insurance. This coverage is designed to provide businesses with compensation for legal costs and other expenses incurred in the aftermath of a data breach, such as identifying the source of the leak and notifying those whose information may have been compromised.

A few figures released over the last week paint a dismal picture of the state of information protection in the healthcare industry. More than 20,000 patient medical records were exposed in yet another hospital data breach. A report from the Health and Human Services Department (HHS) found that more than 7.8 million people had their medical information compromised in more than 30,500 breaches since the enactment of HITECH , while a report from the Digital Forensics Association shows that disclosure of health industry data breaches has increased markedly during this same timeframe.

By the numbers, it would seem that the healthcare industry is in crisis when it comes to protecting patient data, and it’s costing them. According to the Ponemon Institute 2011 U.S. Cost of a Data Breach study, sponsored by Symantec, health data breaches cost $301 per lost record, which is 40 percent higher than average. Contributing to the higher cost is compliance with data protection regulations that requires health organizations to do more to find, disclose and fix breach-related problems. In addition to disclosure laws in 49 states, healthcare organizations also must comply with HIPAA and HITECH.

It seems that no matter where you are, you’re paying more for data breach these days. The Ponemon Institute, together with Symantec, released results of the second annual 2010 Global Cost of a Data Breach report today. The average cost of a data breach has now reached $4 million, up 18 percent from 2009, and the average cost per compromised record jumped 10 percent to $156. Costs still vary between regions. The United States had the highest cost per compromised record at $214, followed by Germany at $191, France at $136, Australia at $123 and the United Kingdom at $114 (a whopping $100 less than the United States).

But enough with the numbers, the interesting stuff is what’s behind the rising global cost of a data breach. It’s certainly true that companies face intense pressure to improve data security. In 2010, there was no shortage of high-profile data breach incidents making headlines in the global media. High-profile data breaches really aren’t anything new—though their probably getting more attention than in years past. What has continued to evolve is regulation.

One thing gaining traction in PCI DSS is the notion of tokenization, which uses a unique identifier instead of the credit card data after its first use in an authorized transaction.  Afterwards, the actual card data is stored in a centralized, highly secure server called a “vault” and a token is used in its place.  This approach removes the actual card data from the applications and systems when it isn’t needed and reduces the amount of Cardholder Data Environment (CDE) that’s in scope for PCI. This, in turn, makes it easier to manage and meet PCI compliance!

Why?  Because if a system, application or host doesn’t actually store or process card data—remember, they’re using a token instead—then it may not be in scope for the PCI environment.  This may significantly reduce what “things” are parts of the PCI environment.  Another advantage of PCI tokenization is if an attacker compromises the system and obtains this token,  it isn’t card data, thereby, reducing the impact of a data breach.

Most privacy advocates and people in the data protection community believe that data breach costs will start coming down eventually because consumers will become somewhat immune to data breach news. The idea is that data breach notifications will become so commonplace that customers just won’t care anymore.

But, that hasn’t happened yet. The latest U.S. Cost of a Data Breach report (PDF), which was just released today, shows that costs continue to rise. This year, they reached $214 per compromised record and averaged $7.2 million per data breach event. The fact is that individuals still care deeply about their personal information and they lose trust in companies that fail to protect it.

It’s not only direct costs of a data breach, such as notification and legal defense costs that impact the bottom line for companies, but also indirect costs like lost customer business due to abnormal churn. This year’s study showed some very interesting results. In my view, there are a few standout trends.

Yet again, data breaches are in the spotlight. The Information Commissioner’s Office (ICO) made its first round of data breach fines last week, effectively giving the Data Protection Act (DPA) “teeth.” The ICO showed that its bite lives up to its bark, penalizing a local council and an employment services firm to the tune of a combined £160,000.

But, future fines are largely avoidable, if organisations adhere to security best practice. For a data breach to attract financial penalty, the ICO must be satisfied that a serious breach is likely to cause “damage or distress” and that it was either “deliberate” or “negligent” and that the organisation “failed to take reasonable steps to prevent it.”

Information has become the lifeblood of organisations and it must be managed properly. To avoid further data breach fines, organisations need clear guidelines in place to determine how sensitive information is used.

Recently, the Ponemon Institute completed the 2010 Annual Study: U.S. Enterprise Encryption Trends. This was the fifth year for the annual study on encryption usage and the results indicate a distinct shift in what’s driving companies to implement encryption technologies.

In past years, data breach mitigation has consistently been the top driver of encryption adoption—organizations were buying encryption in response to a breach issue. But, for the first time regulatory compliance has surpassed data breach mitigation as the top reason why organizations deploy encryption technologies.

And, there’s no shortage of industry data protection and privacy regulations to comply with. There’s a veritable alphabet soup of regulations—HIPAA, PCI, HITECH—plus more data protection legislation at the state level. The impact of all these regulations is reflected in our research.

Organizations are getting ahead of the curve with their encryption strategy before the breach occurs, not after. They want to prevent exposure and make sure data is safe; and they’re allocating the funds to do so.

As a QSA I’m often asked which requirements organizations typically struggle with, what solutions they implement, and how these factor into the cost of compliance. With the introduction of PCI DSS 2.0 this year I’m adding another question to the mix: how does the revised standard change this?

As I’ve posted previously the changes to the DSS are evolutionary and should not present any major  issues to organizations already in compliance. I would further add that I do not see the changes significantly shifting the landscape with respect to the challenges that organizations already face in complying. Before I dig into that let’s take a look at what some of those are based on trends collected from the numerous PCI assessments Symantec’s Advisory Services QSA team has performed:

• Lack of formalized policies, standards, and procedures: these may be “social” but not written, and may not be reflected in the actual implementations (applies to multiple Requirements).

Last week was the PCI Community Meeting in Orlando, FL. Symantec was represented by myself and Chuck Kesler, who joined nearly 1,050 other professionals from across multiple industries for three days worth of sessions and presentations. The meeting was a great opportunity to hear about the state of payment card security, emerging technologies, the upcoming revisions to the Data Security Standard (DSS) and Payment Application Data Security Standard (PA-DSS), and to network with clients and peers. It was also nice to put faces with the names and voices from the Scoping SIG after a year’s worth of work.

Having returned to the office the question we’re now hearing is this: what does PCI DSS 2.0 mean to me? How will it impact my compliance efforts, and what will the cost be? And how long do I have to comply?