The Cost of a Data Breach?

UPDATE: Read The Cost of Corrective Action vs. Proactive Network and Cloud Testing: Lessons from the Sony Breach

What does a data breach cost a company? This is a question that is asked daily and many analyst and research groups are continuously trying to provide an answer. In fact, it seems like we hear as many reports unveiling the cost of a data breach, as we do about actual data breaches. The problem is that we have so many different answers to this question that it becomes difficult to find a number that is accurate for your particular business. Yesterday, I spotted some new numbers reported by Jon Oltsik of ESG on his Network World blog:

Based on many, many anecdotal conversations, ESG continues to estimate a cost of between $30 to $150 per record. Why the range? The majority of breaches are small and local in the hundreds of lost records. When your local hospital is breached, the clean-up costs are a lot less than when it happens to Citigroup.

I appreciate the fact that Jon and ESG give such a large range to their analysis, since attaching an exact figure to the cost of data breach per record, across a variety of industries, is nearly impossible. Jon goes on to discuss this point by looking at data breach cost findings from Ponemon Institute, which I find a bit hard to swallow. Ponemon has pinpointed the cost to $204 per compromised record in 2009. That is up from $202 in 2008. Fairly specific and tough to really align with your business unless you meet the exact criteria of this particularly study.

But we still need these numbers so that we can determine the potential loss of money from a data breach. This is obviously important for companies trying to determine overall risk. But the numbers are also used to communicate the potential savings realized by a product that can help prevent data breaches in some way (like our own). Too often companies who provide those types of solutions simply look for the best number to drive their point home in a press release or a web page. In this case, $204/record is higher than $150/record, thus it will probably be cited more throughout the industry. This is not the best way to market a product, as we all know, since it is fraught with issues.

We can argue about the actual number itself, how it was derived and who was used to determine the eventual cost. However, I find it to be as important to be critical of where the "costs" are coming from based on a data breach. These could range from fines due to PCI compliance failure, to potential lost revenue, or even a company having to pay for credit score monitoring for the thousands of people effected. Obviously these costs differ by industry, hence Jon's comment around the impact of a data breach at a hospital versus a financial institution. But they also differ by the size of the company, location, size of the average breach and more. One could even argue that depending on a person's scenario, a breach of health records may be more "costly" than having your bank account broken into. It is all relative. The onus is left on all of us to examine not only the types of companies and breaches used in determining the cost, but also the actual cost scenarios used.

So what number(s) do you use when calculating the cost of a data breach?

Posted by Kyle Flaherty

Printer Friendly Create PDF

3 comments
Tags: