The cost of data breaches: Looking at the hard numbers

The estimates, however, have churned out vastly different figures, further adding to the confusion. For example, a U.S. Department of Justice study, published in August 2006, determined that the average loss per incident was $1.5 million. These calculations conflicted with a 2005 CSI/FBI survey that estimated the cost to be $167,000. Meanwhile, a 2006 Ponemon Institute survey figured expenses at $4.8 million per breach, while some CISOs put the cost to recover from a security incident at $1,000 per hour.

And if that dizzying array of estimates wasn't bewildering enough, a recent Forrester survey found that 25% of respondents do not know, or do not know how to determine, the cost of data security breaches. Puzzlingly, of companies that confirmed a personal data loss, 11% said that they did not incur any additional costs. But let me tell you, if you have a data breach, you will incur additional costs, significant enough to even put you out of business.

Tangible costs
Tangible costs are the unbudgeted expenses resulting from a security breach. These costs typically include legal fees, mail notification letters, calls to individual customers, increased call center costs and discounted product offers. Surprisingly, most estimates agree on this cost to be around $50 per record. This cost has increased slightly over previous years, but will continue to be somewhere around this number.

Regulations and lost employee productivity
When employees and contractors are diverted from their normal duties in order to address data breach controls, a company loses money. According to a Ponemon Institute survey, this cost had increased 100% in 2006 from $15 per record in 2005, to $30/record in 2006. The primary reason for this increase has been the growing number of entities and regula

To continue reading for free, register below or login

Requires Membership to View

To gain access to this and all member only content, please provide the following information (all fields required):

First Name:
Last Name:
Country: Select... Afghanistan Aland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory British Virgin Islands Brunei Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Congo Congo, Democratic Republic of Cook Islands Costa Rica Cote D'Ivoire Croatia Cuba Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia, The Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard and McDonald Islands Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati Korea, North Korea, South Kuwait Kyrgyzstan Laos Latvia Lebanon Lesotho Liberia Libya Liechtenstein Lithuania Luxembourg Macau Macedonia Madagascar Malawi Malaysia Maldives Mali Malta Man, Isle of Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands Netherlands Antilles New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestine Panama Panama Canal Zone Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Reunion Romania Russia Rwanda Saint Helena Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and the Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia and Montenegro Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard Swaziland Sweden Switzerland Syria Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu U.S. Minor Outlying Islands Uganda Ukraine United Arab Emirates United Kingdom United States Uruguay Uzbekistan Vanuatu Vatican City Venezuela Vietnam Virgin Islands Wallis and Futuna Islands Western Sahara Yemen Zambia Zimbabwe
Email Address:

I would like to receive a FREE subscription to Information Security magazine online.
YesNo

Do you manage, evaluate, recommend, implement, support or purchase security products, software or services?
YesNo

Please estimate the yearly security budget for your entire organization including all security products and services.
Please select... Over $10 Million $5 Million-$10 Million $1 Million-$4.9 Million $500,000-$999,999 $100,000-$499,999 $50,000-$99,999 $25,000-$49,999 $10,000-$24,999 Less than $10,000 None

What is your role in purchasing IT related products and services? (Check all that apply)
Technical decision maker
Financial decision maker
Recommend/Specify
Evaluate products
Implement Products/Services
Determine Needs
Create Security Strategy
None

By joining SearchSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

As the ChoicePoint data breach has shown, where the personal financial records of more than 163,000 consumers had been compromised, the Federal Trade Commission and other judiciary committees may also get involved and impose their own requirements and restrictions. This cost is bound to increase in the future, as well.

Stock price
In the long run, a security breach does not have a significant effect on a company's stock price, but it could. A stock typically dips immediately after a data breach, but the price rebounds quickly, and after one year there is very little evidence of the breach affecting the stock.

The aftermath of the ChoicePoint data breach was an exception: its stock price fell 3.1% on the day the breach was reported, and then continued to fall. Five days after the story made the papers, its stock plummeted by nearly 10%. Now, almost two years after the data debacle, the stock is about 20% lower. The reason for its unique long-term loss can be linked to a change in its top-line offerings. ChoicePoint reacted to the breach by dropping some of its information products. So even though a company's stock may recover soon after a security blunder, a lengthy recovery period is certainly a possibility.

Opportunity cost
Companies also typically experienced customer losses after a breach, but the severity varies significantly as well. Typically, banks and hospitals have had the lowest churn rates, and retail outlets have had the highest.

A more significant issue at hand is the difficulty in acquiring new customers -- or new customer opportunities -- after a security breach. This number is hard to quantify, but most estimates compare these expenses to tangible costs. A Ponemon study, for example, puts opportunity cost at $98 per record, a 31% increase from 2005. This number is expected to grow as customers' security expectations increase and businesses compete on data protection technology.

Regulatory requirements and fines
When a breach occurs, both customers and regulators need to be satisfied. Regulators may impose additional security requirements or fines. For example, Visa levied $4.6 million in fines, penalizing companies that mismanaged sensitive customer data; the company levied $3.4 million in 2005. Similarly, ChoicePoint paid $10 million in civil penalties and $5 million in consumer redress to settle the Federal Trade Commission's demands. As laws and regulations increase, this cost will become much more significant.

Conclusion
All things considered, a security breach can cost you anywhere between $50 to $250 per record. Depending on how many records are at stake, individual breach costs may run into millions or even billions of dollars -- and organizations still aren't prepared to protect their environments. Although studies may not be able to determine the exact cost of a security breach in your organization, the loss of sensitive data can have a crippling impact on an organization's bottom line, especially if it is ill-equipped.

About the author:
Khalid Kark, CISSP, CISM is a senior analyst with Forrester Research Inc. in Cambridge, Mass., where he covers security strategy, including communication strategies, security organization, and the role of information security in corporate governance.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Compliance Counselor,   Enterprise Data Protection,   Identity Theft and Data Security Breaches,   Network Intrusion Detection and Analysis,   Enterprise Network Security,   Information Security Incident Response,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Compliance Counselor Common PCI questions: Web application firewalls or source code review? PCI management: The case for Web application firewalls The basics of enterprise GRC project management PCI DSS: The structure of a standard How to choose between source code reviews or Web application firewalls HIPAA compliance: New regulations change the game Data security best practices for PCI DSS compliance Key elements of a HIPAA compliance checklist A preview of PCI virtualization specifications Strategies for email archiving and meeting compliance regulations Identity Theft and Data Security Breaches TJX to pay $9.75 million for data breach investigations Man pleads guilty in online banking hacking scam White House cybersecurity czar faces major hurdles Heartland breach cost $12.6 million, CEO says An inside look at security log management forensics investigations LexisNexis investigates breach, notifies thousands Senators hear call for federal cybersecurity restructuring Former Federal Reserve Bank employee arrested Attackers cash in on fundamental data handling mistakes, Verizon finds Courts turn aside data breach suits Information Security Incident Response Tying log management and identity management shortens incident response Tabletop exercises sharpen security and business continuity Security book chapter: Applied Security Visualization The challenges of incident response plans and procedures CISOs, human resources cooperation vital to security After a data breach, are there legal implications of sharing details? Boosting morale of the information security staff after a data breach Recovering stolen laptops one step at a time IT security pros face challenge during economic crisis Spotlight article: Domain 9, Physical Security Information Security Incident Response Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) CISP-PCI  (SearchFinancialSecurity.com) cookie poisoning  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) extrusion prevention  (SearchSecurity.com) identity theft  (SearchSecurity.com) parameter tampering  (SearchSecurity.com) pretexting  (SearchCIO.com) Rock Phish  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.