An interesting benchmark study was done recently (published Jan., 2011) by Ponemon Institute, commissioned by Tripwire, Inc. The study, entitled “The True Cost of Compliance”, examines 46 companies, and involved interviews of 160 functional leaders.
The study spanned many industries: financial, retail, public sector, industrial, healthcare, transportation, consumer products, pharmaceutical, education & research, communications, technology, and energy.
The numbers were pretty interesting. They learned that, on average, non-compliance cost is 2.65 times the cost of compliance for these 46 organizations. (It was over 2 1/2 times! Staggering, when you think about it. Over 2 1/2 times more costly to be non-compliant.)
The average cost of compliance for the organizations in the study was $3.5 million. The average cost for organizations that experience non-compliance related problems was nearly $9.4 million.
There was (no surprise) a positive correlation between the percentage difference between compliance and non-compliance costs and the number of lost or stolen records during a 12 month period. The smaller the gap between compliance and non-compliance costs, the lower the frequency of compromised records.
Ongoing compliance audits reduce the total cost of compliance – another finding mentioned.
And, laws and regulations are the main drivers for investment in compliance activities. Perceived importance and difficulty of data compliance regulations (in descending order):
- PCI DSS
- U.S. state laws for data breach
- EU Privacy Directive
- HIPAA (including HITECH)
- International Laws by country
- Federal Privacy Act
There’s some good info in the Appendix 1 and 2, also. Appendix 1 summarizes what the compliance cost is in USD for each organization, looking at:
- Program Management
- Data Security
- Compliance Monitoring
And, Appendix 2 summarizes for each organization their non-compliance costs for:
- Business disruption
- Productivity loss
- Revenue loss
- Fines, penalties & settlement costs
(Appendix 2 is obviously higher for everyone across the board.)
A link to the report is listed below if you want to check it out. I’ve just given a thumb-nail description here.
Sr. Account Executive