The cost of data breaches: Looking at the hard numbers

The cost of data breaches: Looking at the hard numbers

The cost of data breaches: Looking at the hard numbers
Khalid Kark Identity Theft and Data Security Breaches
million per breach, while some CISOs put the cost to recover from a security
incident at $1,000 per hour.

And if that dizzying array of estimates wasn't bewildering enough, a recent Forrester
survey found that 25% of respondents do not know, or do not know how to
determine, the cost of data security breaches. Puzzlingly, of companies that
confirmed a personal data loss, 11% said that they did not incur any additional
costs. But let me tell you, if you have a data breach, you will incur additional costs,
significant enough to even put you out of business.

Tangible costs
Tangible costs are the unbudgeted expenses resulting from a security breach.
These costs typically include legal fees, mail notification letters, calls to individual
customers, increased call center costs and discounted product offers. Surprisingly,
most estimates agree on this cost to be around $50 per record. This cost has
increased slightly over previous years, but will continue to be somewhere around
As the ChoicePoint data breach has shown,
The cost of data breaches: Looking at the hard numbers Page 2 of 3

the story made the papers, its stock plummeted by nearly 10%. Now, almost two
years after the data debacle, the stock is about 20% lower. The reason for its
unique long-term loss can be linked to a change in its top-line offerings.
ChoicePoint reacted to the breach by dropping some of its information products. So
even though a company's stock may recover soon after a security blunder, a
lengthy recovery period is certainly a possibility.

Opportunity cost
Companies also typically experienced customer losses after a breach, but the
severity varies significantly as well. Typically, banks and hospitals have had the
lowest churn rates, and retail outlets have had the highest.

A more significant issue at hand is the difficulty in acquiring new customers -- or

new customer opportunities -- after a security breach. This number is hard to
quantify, but most estimates compare these expenses to tangible costs. A
Ponemon study, for example, puts opportunity cost at $98 per record, a 31%
increase from 2005. This number is expected to grow as customers' security
expectations increase and businesses compete on data protection technology.

Regulatory requirements and fines

When a breach occurs, both customers and regulators need to be satisfied.
Regulators may impose additional security requirements or fines. For example, Visa
levied $4.6 million in fines, penalizing companies that mismanaged sensitive
customer data; the company levied $3.4 million in 2005. Similarly, ChoicePoint paid
$10 million in civil penalties and $5 million in consumer redress to settle the Federal
Trade Commission's demands. As laws and regulations increase, this cost will
become much more significant.

All things considered, a security breach can cost you anywhere between $50 to
$250 per record. Depending on how many records are at stake, individual breach
costs may run into millions or even billions of dollars -- and organizations still aren't
prepared to protect their environments. Although studies may not be able to
determine the exact cost of a security breach in your organization, the loss of
sensitive data can have a crippling impact on an organization's bottom line,
especially if it is ill-equipped.

About the author:

Khalid Kark, CISSP, CISM is a senior analyst with Forrester Research Inc. in
Cambridge, Mass., where he covers security strategy, including communication
strategies, security organization, and the role of information security in corporate

