BreachExchange mailing list archives
Costs of a data breach
From: "Sasha Romanosky" <sromanos () andrew cmu edu>
Date: Thu, 15 Oct 2009 19:17:07 -0400
Last week, I posed a question to the mailing list regarding the types of costs a firm might incur due to a breach (i.e. cost that they would now have to pay as a result of the breach disclosure laws). I received many responses with information, and also a bunch of, "hey, I'm doing that too - let's share info" or "hey, I'm interested in that, too, let me know what you find." I was also looking for data on relative orders of magnitude of these costs in order to get some sense of what's a big deal and what's not. There wasn't much there, but here's what I do know about: - ponemon data breach study: table 3, p20 lists 11 types of costs from 2005-2008 as percent of cost of breach, aggregated for all subjects. - tech-404.com: Scattered examples of anecdotal stories but with numbers (sources not cited); http://www.tech-404.com/claims.html#financial - forrester research study: http://blogs.zdnet.com/BTL/?p=5007 shows another kind of breakdown by 7 categories as portion of breach cost for companies in regulated/non-regulated industries. - Maine's data breach study (2008), http://www.maine.gov/pfr/financialinstitutions/reports/pdf/DataBreachStudy.p df. Lots of good stuff, but reflects the costs to banks as a result of breaches by other companies (tjx, heartland), rather than costs to breached firms, themselves. And so, from conversations with a few people, and scanning many reports, the list below seems to reflect the disparate costs incurred by firms from a breach. I sorted them by type: Business, Legal and Fees, rather than, say, chronologically. I'm still trying to get more data around average (or median) costs, if only to get a sense of how big a deal each one of these may be. Again, this is meant to supplement, not replace, the reports listed above. I'd be tickled if others would add/correct this list as appropriate and send numbers as they learn of them. Business - investigating the cause of the breach, repairing IT systems, getting back to known trusted state of operations, - cost of forensic investigation and preservation of data as required by law, "litigation hold" - cost of maintaining customer support services to address customer questions (eg websites, 1-800 numbers) - cost of consumer redress (idtheft monitoring, insurance, etc) - cost of PR campaign to reassure customers how "safe" their customers' data still are - HR cost involved in disciplining / firing employees - losses borne from customer churn, aka lost business - losses due to "reputational" effect / permanent stock market loss Legal: - initial engagement with counsel to determine whether to notify anyone - figuring out who to notify (I understand this can be a non trivial process) - engaging counsel to draft letter / comply with breach laws - engaging counsel to combat lawsuits (private or class action) against affected customers - whistleblower litigation (I told them there was a problem, that's why they fired me) - business-to-business dispute resolution (i.e. retail companies being sued by banks) - legal cost of settlements to state AG, or lawyer fees of other states Fines / Fees - regulatory fines incurred by FTC/SEC, health agencies, etc - cost of implementing policies (staff, procedures, etc) to address regulatory decrees (e.g. as with FTC settlements) - actual settlements to state AG, legal fees - increased interchange fees for retail companies applied by acquiring bank Cheers, sasha _______________________________________________ Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org) Get business, compliance, IT and security staff on the same page with CREDANT Technologies: The Shortcut Guide to Understanding Data Protection from Four Critical Perspectives. The eBook begins with considerations important to executives and business leaders. http://www.credant.com/campaigns/ebook-chpt-one-web.php
Current thread:
- Costs of a data breach Sasha Romanosky (Oct 16)