While security breaches can cost a company dearly when it comes to a marred public image and a loss in customer confidence, the actual financial costs can be staggering.
The average security breach can cost a company between $90 and $305 per lost record, according to a new study from Forrester Research. The research firm surveyed 28 companies that had some type of data breach.
"After calculating the expenses of legal fees, call centers, lost employee productivity, regulatory fines, stock plummets, and customer losses, it can be dizzying, if not impossible, to come up with a true number," wrote senior analyst Khalid Kark in the report. "Although studies may not be able to determine the exact cost of a security breach in your organization, the loss of sensitive data can have a crippling impact on an organization's bottom line, especially if it is ill-equipped, and it's important to be able to make an educated estimate of its cost."
Kark said calculating the cost of a breach is murky territory and he did the survey to shed some light on the costs associated with breaches, which seem to be reported with increasing frequency.
A recent Forrester survey found that 25% of respondents do not know, or do not know how to determine, the cost of data security breaches. Kark said the majority of organizations will incur a wide array of associated costs, sometimes significant enough to even put them out of business
Kark noted in the report that "it may seem like an impossible task to put a dollar value to your data breach exposure, given the variance in the numbers reported in the media," he wrote. "You will be doing a service to your business if you are able to make reasonable assumptions about your business and develop an estimate."
He reported that discovery, response, and notification costs can be substantial. He averaged them out to be about $50 per lost record. These costs generally include outside legal fees, notification costs, increased call center costs, marketing and PR costs, and discounted product offers. "Forrester has seen a slight increase in this cost due to the increasing number of jurisdictions and circumstances to which breach disclosure applies, but we estimate this cost to be somewhere in this ballpark in the next few years," Kark added.
Lost employee productivity also is a significant cost. When employees are diverted from their normal duties, or contractors are hired to respond to data breaches, the company incurs additional expenses, according to Kark, who noted that the Ponemon Institute calculated that this cost had increased 100% in 2006, going from $15 per record in 2005 to $30 per record in 2006.
Kark also added that the increased public attention to security breaches is contributing to this price increase. "Forrester surmises that the two primary reasons for this increase have been the distractions caused by press coverage of data disclosures and the growing number of regulations and contractual obligations organizations must satisfy," he said. "Previously, when a company had a data breach, a response team would fix the problem and test the mitigation, then the company would resume normal activities. Now we have to spend time on public relations efforts, as well as assuring both customers and auditors that new processes are in place to guard against such breaches in the future."
The report also noted that managers need to plan ahead for possible regulatory fines, loss in the company's customer base, restitution fees, and additional security and audit requirements.