What is the True Cost of a Data Breach? It May Not Be that Easy

As data breaches big and small continue to flood headlines, measuring the cost of these incidents remains a challenge.

Consider the following quotes:

“Average cost per record was 58¢…”

-2015 Verizon DBIR

“Over the past year, the cost of data breaches due to malicious or criminal attacks has increased from an average of $159 to $174 per record.”

-Ponemon 2015 Cost of Data Breach Study

“However, even the most significant recent breaches had very little impact on the company’s stock price.”

-Why Data Breaches Don’t Hurt Stock Prices, Harvard Business Review

These three statistics each paint a widely contrasting picture of the real impact of a data breach. What do you look at to make your analysis of the impact of a breach upon your organization? The stock market has never been representative of the most rational behavior; when you look at the investors who buy up stocks based on emotions or a gut feeling while ignoring the underlying financial fundamentals. After all, the stock market is first a way to make money – the social agenda investor, while real, takes a back seat to the profit-driven investor. A quick look at the 5 year stock chart of several of the recent victims of high profile breaches serves to illustrate the point that investors will overlook certain facts, like 100MM leaked customer records, in the interest of portfolio growth.

Whether anyone can truly devise a robust cost model of a breach is, in my opinion, unlikely – there are simply too many variables for that algorithm to be accurate. What I would like to look at, and have people consider in the wake of stories about how shareholders don’t care, is how different types of costs have different levels of impact for different organizations. The goal in measuring the cost of a data breach should be to create a cost model that applies to the business you care most about: yours. That said, let’s look at some of the different types of costs businesses incur from data breaches.

The easily quantified costs: What are the areas where you know the steps taken and their concrete costs? If you are issuing payment cards today, you should have a good idea of that cost; replacement cards will require a similar investment to maintain your customers. Here are a few examples of easily quantified costs:

  • Replacing credit cards
  • Insurance premium increases
  • Regulatory fines (if applicable)
  • Direct financial losses caused by a breach (theft, fraud)
  • Settlements

The more difficult costs to quantify: For these costs the difficulty lies in predicting the value of things such as product design and development or other intellectual property. Losing one year of development isn’t as easy to quantify from a cost perspective as salary costs; the market has moved, competitors have evolved. Examples of costs that are more difficult to quantify include:

  • Stolen IP
  • Business development plans
  • Marketing strategy
  • Business downtime

The most difficult costs to quantify: Try as we might, there are some data breach costs that prove extremely difficult to valuate. There are questions as to whether Ashley Madison will survive as a business given that what they purportedly selling, discretion, was so egregiously violated in their data breach. Executive turnover – a common event in the fallout from a data breach – can also be costly in terms of company strategy and leadership, yet those costs too are very difficult to put a hard number on. Among the hardest breach costs to quantify are:

  • Damage to brand equity/reputation
  • Replacing executive staff
  • Loss of competitive advantage

Breach cost. Full stop. No asterisk. How much they cost is an answer that can only be calculated with the internal information you possess about your company, and this number may not be calculable until several years after the breach. Sorry to say, but the real world is a messy place sometimes.

Bill Bradley

451 Research: The DLP Market by the Numbers

Get the 451 take on the resurgence of the DLP market, with projections for market growth over the next five years and the top security challenges for 2016.

Download the report

Related Articles
First Data Breach of 2019 Disclosed Hours Into New Year

It was bound to happen sooner or later. But this soon? The first data breach of the New Year, disclosed just hours into 2019, affects 30,000 individuals.

Friday Five: 3/9 Edition

DDoS attacks, data breach settlements, and dark web crackdowns -- catch up on the week's infosec news with this roundup!

Last Year: The Worst Year (Again) for Healthcare Data Breaches

A report from the firm Bitglass said healthcare breaches hit an all-time high in 2016, amid warnings that even pediatric patient data is being used by cybercriminals and identity thieves.

Bill Bradley

Bill Bradley is director of product marketing at Digital Guardian, bringing over 20 years of technology, marketing, and sales experience to the role. He spent the first portion of his career in field sales and brings this customer-centric mentality to his role in marketing for Digital Guardian. Prior to Digital Guardian Bill was at Rapid7 and the General Electric Corporation.

Please post your comments here