The Cost of a Data Breach

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/the-cost-of-a-data-breach-57563/

In 2014, the Ponemon Institute published the 2014 Cost of Data Breach Study
that includes interesting cost information related to remediation efforts
undertaken by 61 companies that operate in the United States.

The study reports that the average remediation cost for each lost or stolen
record containing confidential or sensitive information was $201.  The
average total cost of remediation efforts was $5.85 million per incident.

The number of breached records per incident studied ranged from 5,000 to
slightly more than 100,000 records.  The average number of breached records
in the Study was 29,087.  The average cost of $201 per record represents a
7% increase over the average of $188 per record found in Ponemon’s 2013
study.

In responding to a breach, businesses incur more in indirect costs than
direct costs.  The Ponenon study explains that direct costs refer to what
companies spend to minimize the consequences of a data breach and to assist
victims.  These costs include engaging forensic experts to help investigate
the data breach, hiring lawyers to help manage the breach and any required
notification or third party claims, and offering identity protection
services to impacted data subjects. The study reports that $67 or 33% of
the $201 per compromised record was spent on direct costs. On average
companies spent 8.6% of the average $5.9 million per incident – roughly
half a million dollars – on notification costs as a direct expense.

Indirect costs are costs incurred in regard to existing internal resources
to deal with the data breach.  The report calculates that $134 or 67% of
the $201 per compromised record is made up of these costs. These costs
include the amount of time, effort and other organizational resources
spent, but not direct out-of-pocket expenditures. Included as an indirect
cost is the amount of time employees spend on data breach notification
efforts.

Most businesses also incur lost opportunity costs associated with a breach
incident.  This results from diminished trust or confidence by present and
future customers. As the study notes, the negative publicity associated
with a data breach incident causes reputation effects that result in
abnormal turnover rates and a diminished rate of new customer acquisitions.
The study researched this effect and found that lost customer business and
customer acquisition costs amounted to 42% of the total cost $5.85 million
per incident – roughly two and half million dollars.  These costs are
indirect, but very real.

The study quantifies what is commonly known.  When a business suffers a
data breach that requires notification of the incident, the direct and
indirect costs are significant. It’s not surprising that the study also
includes a chart which shows a direct linear correlation between the number
of compromised records and the cost of the response.

Interestingly, the study found that those businesses that had an incident
response plan in place before the breach occurred spent on average $17 less
than the overall average $201 per compromised record.  That may not seem
like a lot of money, but it’s nearly 8.5%.  When applied to an average cost
for data breach of $5.85 million, a savings of 8.5% is nearly a half
million dollars.  For insight into how to develop an incident response
plan, see our post – Do You Have Data Breach Response Plan?

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!