Whoa, I missed this report by Ponemon. Larry really has a knack for trying to put a very specific number on the cost of a breach. Secure Computing says he has found that Data breaches to cost more in the cloud

Incidents that involved a third party — such as a cloud computing or software-as-a-service (SaaS) provider — had a higher average cost of $152 per record, compared to $109 for incidents that occurred and were handled in-house.

PGP CEO Phillip Dunkelberger told iTnews that organisations operating in the cloud incurred higher costs because of issues to do with territorial jurisdictions, and additional investigation and consulting fees.

I do not think crossing territorial boundaries is exclusive to the cloud. Furthermore, it makes sense that working with a provider adds an additional layer of legal representation and teamwork, but that does not translate directly into more load. Larger teamwork can also mean delegation and services are more efficient, which might offset some load.

Imagine a cloud adding breach response and legal consulting to the growing list of services, especially if they have prior experience and templates for notification. With a little twist and some preparation the cost just went down again.

Oh, wait, no Ponemon says that costs more too.

The report found data breach incidents to cost 25 percent more when the remedy was managed by an external consultant or firm.

An even more sobering statistic is found towards the bottom.

The report found malicious attacks and botnets to account for 44 percent of data breaches. 31 percent of incidents were attributed to system glitches and the remaining 25 percent to negligence.

Thirty-one percent of all cases involved mistakes by third parties such as cloud computing or SaaS providers.

That says to me a vast majority of breaches did not involve third parties. Alternatively, it says that bringing in a third party has a significant chance of causing a breach due to a “mistake”. That is better than malice, but still pretty high in terms of risk. It begs the question what percentage of providers assumed liability/responsibility for their mistake?