Costs of a data breach

["Sasha Romanosky" <sromanos () andrew cmu edu>]

Last week, I posed a question to the mailing list regarding the types of
costs a firm might incur due to a breach (i.e. cost that they would now have
to pay as a result of the breach disclosure laws). I received many responses
with information, and also a bunch of, "hey, I'm doing that too - let's
share info" or "hey, I'm interested in that, too, let me know what you
find."

I was also looking for data on relative orders of magnitude of these costs
in order to get some sense of what's a big deal and what's not. There wasn't
much there, but here's what I do know about: 
- ponemon data breach study: table 3, p20 lists 11 types of costs from
2005-2008 as percent of cost of breach, aggregated for all subjects.
- tech-404.com: Scattered examples of anecdotal stories but with numbers
(sources not cited);  http://www.tech-404.com/claims.html#financial
- forrester research study: http://blogs.zdnet.com/BTL/?p=5007 shows another
kind of breakdown by 7 categories as portion of breach cost for companies in
regulated/non-regulated industries. 
- Maine's data breach study (2008),
http://www.maine.gov/pfr/financialinstitutions/reports/pdf/DataBreachStudy.p
df. Lots of good stuff, but reflects the costs to banks as a result of
breaches by other companies (tjx, heartland), rather than costs to breached
firms, themselves. 


And so, from conversations with a few people, and scanning many reports, the
list below seems to reflect the disparate costs incurred by firms from a
breach. I sorted them by type: Business, Legal and Fees, rather than, say,
chronologically. 

I'm still trying to get more data around average (or median) costs, if only
to get a sense of how big a deal each one of these may be. Again, this is
meant to supplement, not replace, the reports listed above. 

I'd be tickled if others would add/correct this list as appropriate and send
numbers as they learn of them. 


Business
- investigating the cause of the breach, repairing IT systems, getting back
to known trusted state of operations, 
- cost of forensic investigation and preservation of data as required by
law, "litigation hold" 
- cost of maintaining customer support services to address customer
questions (eg websites, 1-800 numbers) 
- cost of consumer redress (idtheft monitoring, insurance, etc) 
- cost of PR campaign to reassure customers how "safe" their customers' data
still are
- HR cost involved in disciplining / firing employees
- losses borne from customer churn, aka lost business
- losses due to "reputational" effect / permanent stock market loss


Legal: 
- initial engagement with counsel to determine whether to notify anyone
- figuring out who to notify (I understand this can be a non trivial
process)
- engaging counsel to draft letter / comply with breach laws
- engaging counsel to combat lawsuits (private or class action) against
affected customers
- whistleblower litigation (I told them there was a problem, that's why they
fired me)
- business-to-business dispute resolution (i.e. retail companies being sued
by banks)
- legal cost of settlements to state AG, or lawyer fees of other states


Fines / Fees
- regulatory fines incurred by FTC/SEC, health agencies, etc
- cost of implementing policies (staff, procedures, etc) to address
regulatory decrees (e.g. as with FTC settlements)
- actual settlements to state AG, legal fees
- increased interchange fees for retail companies applied by acquiring bank



Cheers,
sasha

_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php