How to Value the Cost of a Data Breach
As the Founder and CEO of a technology consulting firm, there are many proprietary data concerns that we must consider and protect, not the least of which is our client information. While our firm, Corporate Technologies, Inc (CTI). may not be directly subject to data security regulations, providing services to many of our clients obligates us to demonstrate the same approaches to data security as that of any regulated entity. It goes without saying that our firm goes to great lengths to ensure the confidentiality of our clients and the security of any of their data or proprietary information that we may possess. What we’ve learned over the years is that every business has different data security requirements and every industry has its specializations that requires a certain depth of knowledge to navigate. In fact, it helped us shape the security solutions we offer our clients today.
Your organization is unique in terms of the impact that a data breach would have on the business. However, within industry segments there are common critical areas that need specific attention. For example, in retail, credit card data is most important; in healthcare, it’s PII (personally identifiable information); and for manufacturers, intellectual property loss can have the greatest impact. Notwithstanding the consequences associated with these breaches, an often under-estimated and very significant and costly impact across all organizations is business disruption.
Of course, no one wants to think it can happen to their organization, but we all secretly worry that it might. Why is this so? I guess it’s the “tired but true” analogy: no one likes to spend money on life insurance let alone contemplate the reasons for the need.
But the rationalization process for determining the form and how much to invest in data breach protection is the same (i.e. what ongoing investments must your company make to avoid the financial consequences). So, it’s paramount to make an honest assessment of the true costs to your company of a data breach to avoid a “financial surprise”.
First consider assigning a monetary value to the obvious well-known post incident remediation costs:
- Customer breach notifications if personal information is stolen
- Post-breach customer protection expense
- Fines for regulatory compliance violations
- Public relations/crises communications
- Attorney fees and litigation expense
- Technical investigations to determine extent of damage, identify vulnerabilities for remediation
- Unplanned investments in cybersecurity improvements and data restoration
Don’t forget the hidden or less visible costs that are more difficult to assign a value to such as:
- Liability Insurance premium increases
- Operational disruption, downtime, unplanned outages
- Losses to lifetime value of customer and customer churn
- Value of lost future contract revenue
- Devaluation of your brand
- Loss of intellectual property, customer information and employee records
The timing and duration of the breach can have broad ramifications involving the level of financial penalties paid to customers, amount of lost revenues, increase in customer service costs, and loss of future opportunities.
The Inescapable Costs of a Breach
The most quantifiable impact on your organization is the one which is felt first, and that is the economic cost of incident response and remediation. This involves containing and responding to the attack, investigation into any resulting breach, public relations, compliance fines, credit monitoring services, and expenses on the back end to harden defenses in a way such that the attack can’t be easily repeated. For moderate to large organizations this can easily amount to millions of dollars in expenses.
How do you Quantify the Costs?
Benchmark study data is available which establishes a framework for capturing these costs. The Ponemon Institute, LLC conducted its first independent study, Cost of Data Breach in the United States 11 years ago, per their 2016 Cost of Data Breach Study: United States sponsored by IBM, this year saw the highest average cost per record breached. The costs presented in this research are based upon cost estimates provided by individuals Ponemon interviewed over a ten-month period in the companies represented in this research.
- Based on participation by 64 US Corporations in 16 industry sectors, the average cost for each lost or stolen record containing sensitive and confidential information increased from $217 to $221.
- The average number of breached records was 29,611 – with the range being 5,000 – 100,000. They purposely didn’t include breaches of over 100,000 records because they’re not indicative of what’s incurred by most organizations and would distort the analysis.
- The total average cost that organizations paid increased from $6.53 million to $7.01 million.
The companies in the survey experienced the loss or theft of protected personal data and then had to notify breach victims as required by various laws. Most data breaches reported were caused by criminal and malicious attacks. These breaches take the most time to detect and contain and thus are the costliest.
In my next blog, I’ll examine different models for proactive threat monitoring, detection and management using security information and event analytics to stay ahead of the bad guys.