The cost of data breaches: Looking at the hard numbers Page 1 of 3

Activate your FREE membership today | Log-in

SEARCH : Advanced Search | Site Index Powered by:

Microsoft Dynamics: ERP Software Your People Can Actually Use. Try It
Out Free.
Home > Security Tips > Compliance Counselor > The cost of data breaches: Looking at the hard numbers

Security Tips: EMAIL THIS

TIPS & NEWSLETTERS TOPICS

COMPLIANCE COUNSELOR
The cost of data breaches: Looking at the hard numbers
Khalid Kark Identity Theft and Data Security Breaches
03.21.2007
Rating: -4.17- (out of 5) NEWS, TIPS & MORE
RSS FEEDS: Enterprise IT tips and expert advice For data minders, 2007 was a year of living ... (ARTICLE)
Banks agree to settle lawsuits against TJX (ARTICLE)
TJX data breach costs could be settled in court ...
(ARTICLE)
As the frequency and gravity of security breaches has increased over the past few TJX offers $40.9 million breach settlement (ARTICLE)
years, there have been several attempts to estimate the costs associated with VIEW MORE
them.
VENDOR CONTENT

The estimates, however, have churned out vastly different figures, further adding to Webcast: Who's Reading Your Old Disk Drives?
the confusion. For example, a U.S. Department of Justice study, published in (WEBCAST)
August 2006, determined that the average loss per incident was $1.5 million. These
calculations conflicted with a 2005 CSI/FBI survey that estimated the cost to be [AD]
$167,000. Meanwhile, a 2006 Ponemon Institute survey figured expenses at $4.8
million per breach, while some CISOs put the cost to recover from a security
incident at $1,000 per hour.

And if that dizzying array of estimates wasn't bewildering enough, a recent Forrester
survey found that 25% of respondents do not know, or do not know how to
determine, the cost of data security breaches. Puzzlingly, of companies that
confirmed a personal data loss, 11% said that they did not incur any additional
costs. But let me tell you, if you have a data breach, you will incur additional costs,
significant enough to even put you out of business.

Tangible costs
Tangible costs are the unbudgeted expenses resulting from a security breach.
These costs typically include legal fees, mail notification letters, calls to individual
customers, increased call center costs and discounted product offers. Surprisingly,
most estimates agree on this cost to be around $50 per record. This cost has
increased slightly over previous years, but will continue to be somewhere around
this number. DR Testing Techniques (VIDEOCAST)
PCI Compliance Report: Cost Analysis Reveals Expense
Justified (WHITE PAPER)
Regulations and lost employee productivity Philips Medical Systems Cures Storage Heartache with
When employees and contractors are diverted from their normal duties in order to the Intel® Entry Storage System ... (CASE STUDY)
address data breach controls, a company loses money. According to a Ponemon VIEW MORE
Institute survey, this cost had increased 100% in 2006 from $15 per record in 2005,
to $30/record in 2006. The primary reason for this increase has been the growing SEE ALSO
number of entities and regulations that must be satisfied. Previously, if a company Related Topics:
had a data breach, a security team fixed the problem, tested the mitigation and then Identity Theft and Data Security Breaches , Viruses,
the company resumed normal activities. Now, the threat of a data breach forces Worms and Other Malware, Spyware, Adware and Trojans
companies to satisfy the industry regulators, like the Payment Card Industry (PCI) Site Highlights:
Security Standards Council for credit card breaches, or the HIPAA auditors for Free Online IT Training
healthcare regulations. Spyware Learning Guide

GET E-MAIL UPDATES

For more information on data
security breach costs...
According to a recent survey,
data breach costs have
skyrocketed. Read more about
it here.
As the ChoicePoint data breach has shown,
where the personal financial records of Submit your e-mail below to receive Security-related news,
more than 163,000 consumers had been tech tips and more, delivered to your inbox.
compromised, the Federal Trade c Current Threats
d
e
f
g
Commission and other judiciary committees
may also get involved and impose their own E-mail: Your E-mail Address
requirements and restrictions. This cost is Not a member? We'll activate your FREE
bound to increase in the future, as well. membership with your subscription.

In this exclusive Security Wire Stock price

Weekly podcast, Larry In the long run, a security breach does not
Ponemon talks about the have a significant effect on a company's
difficulty of spotting data stock price, but it could. A stock typically
dips immediately after a data breach, but
breaches.
the price rebounds quickly, and after one
year there is very little evidence of the
See how the TJX data breach breach affecting the stock.
has affected PCI compliance
efforts.
The aftermath of the ChoicePoint data
breach was an exception: its stock price fell
3.1% on the day the breach was reported, and then continued to fall. Five days after

http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1248216,00.html 07-Jan-08
The cost of data breaches: Looking at the hard numbers Page 2 of 3

the story made the papers, its stock plummeted by nearly 10%. Now, almost two
years after the data debacle, the stock is about 20% lower. The reason for its
unique long-term loss can be linked to a change in its top-line offerings.
ChoicePoint reacted to the breach by dropping some of its information products. So
even though a company's stock may recover soon after a security blunder, a
lengthy recovery period is certainly a possibility.

Opportunity cost
Companies also typically experienced customer losses after a breach, but the
severity varies significantly as well. Typically, banks and hospitals have had the
lowest churn rates, and retail outlets have had the highest.

A more significant issue at hand is the difficulty in acquiring new customers -- or

new customer opportunities -- after a security breach. This number is hard to
quantify, but most estimates compare these expenses to tangible costs. A
Ponemon study, for example, puts opportunity cost at $98 per record, a 31%
increase from 2005. This number is expected to grow as customers' security
expectations increase and businesses compete on data protection technology.

Regulatory requirements and fines

When a breach occurs, both customers and regulators need to be satisfied.
Regulators may impose additional security requirements or fines. For example, Visa
levied $4.6 million in fines, penalizing companies that mismanaged sensitive
customer data; the company levied $3.4 million in 2005. Similarly, ChoicePoint paid
$10 million in civil penalties and $5 million in consumer redress to settle the Federal
Trade Commission's demands. As laws and regulations increase, this cost will
become much more significant.

Conclusion
All things considered, a security breach can cost you anywhere between $50 to
$250 per record. Depending on how many records are at stake, individual breach
costs may run into millions or even billions of dollars -- and organizations still aren't
prepared to protect their environments. Although studies may not be able to
determine the exact cost of a security breach in your organization, the loss of
sensitive data can have a crippling impact on an organization's bottom line,
especially if it is ill-equipped.

About the author:

Khalid Kark, CISSP, CISM is a senior analyst with Forrester Research Inc. in
Cambridge, Mass., where he covers security strategy, including communication
strategies, security organization, and the role of information security in corporate
governance.

Rate this Tip

To rate tips, you must be a member of SearchSecurity.com.
Register now to start rating these tips. Log in if you are already a member.

Share - Digg This! Bookmark with Del.icio.us

SECURITY RELATED LINKS

Ads by Google

Data Security
Simplify your SMB voice and data networks & save.
www.Nortel.com

Sensitive Data Policy

Sensitive Information Policy meets Sarbanes-Oxley Sec 404 / Security
itproductivity.org

Compliant with PCI DSS?

Find out how GFI can help you obtain PCI DSS compliance!
www.gfi.com

Batch Process Simulation

Process Modeling, Scheduling, Cost Analysis, and De-bottlenecking
www.intelligen.com

Data Loss Prevention

Learn more about Proofpoint's data loss prevention & email security
www.proofpoint.com

RELATED CONTENT
Compliance Counselor
Compliance year in review: PCI DSS progress, yet confusion abounds
Why you shouldn't wager the house on risk management models
Applying PCI DSS to Web application security
PCI DSS emergency: What to do if you're (very) late to the game
Complex password compliance requirements made simple
Dissecting compliance workflow processes
PCI Pain: Is it time for an overhaul?
PCI Data Security Standard compliance: Setting the record straight
Considerations for encryption and compliance
COSO and COBIT: The value of compliance frameworks for SOX

Identity Theft and Data Security Breaches

For data minders, 2007 was a year of living dangerously
Lessons learned from TJX: Best practices for enterprise wireless encryption
Banks agree to settle lawsuits against TJX
TJX data breach costs could be settled in court appeal
Sophisticated spam, employee errors continue unabated
TJX offers $40.9 million breach settlement

http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1248216,00.html 07-Jan-08
The cost of data breaches: Looking at the hard numbers Page 3 of 3

Data breach costs soar

Experts: Privacy and security officers living in silos
Convio acknowledges security breach
PCI DSS Council adding new standard for payment applications

Information Security Incident Response

Data breach costs soar
What are the proper procedures for handling a potential insider threat?
Black Hat 2007: Estonian attacks were a cyber riot, not warfare
Survey: Companies disregard data security breach risks
Endpoint Security
Digital forensics tool Helix 'does no harm'
How should information security and networking groups coordinate firewall
management?
RSA Conference: Experts say companies need data theft response plans
RSA Conference: Middle ground hard to find in vulnerability disclosure debate
When physical and logical security converge
Information Security Incident Response Research

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary
bot worm (SearchSecurity.com)
CISP-PCI (SearchSecurity.com)
cookie poisoning (SearchSecurity.com)
drive-by pharming (SearchSecurity.com)
identity theft (SearchSecurity.com)
parameter tampering (SearchSecurity.com)
pretexting (SearchCIO.com)
Rock Phish (SearchSecurity.com)

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP
software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary

DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and
expertise with your peers and to learn from other enterprise IT professionals. TechTarget
provides the infrastructure to facilitate this sharing of information. However, we cannot
guarantee the accuracy or validity of the material submitted. You agree that your use of
the Ask The Expert services and your reliance on any questions, answers, information or
other materials received through this Web site is at your own risk.

View this month\\'s

Apply online for free
issue and subscribe
conference admission.
today.

SEARCH : Advanced Search | Site Index Powered by:

About Us | Contact Us | For Advertisers | For Business Partners | Site Index | RSS

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-
effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and
magazines.

TechTarget Corporate Web Site | Media Kits | Reprints | Site Map

All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy

http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1248216,00.html 07-Jan-08