In a recent survey of 83 corporate IT managers, 28 acknowledged having had to cope with a data breach, and half of those respondents reported significant related costs.
In its report entitled “Calculating the cost of a security breach,” research firm Forrester said half of those polled cited changes to security and auditing processes as a major cost category.
In addition, 43 per cent said the costs of customer notification and loss of business could be counted in the fallout from a data breach, though only 25 per cent feared lawsuits and civil penalties.
In its report, Forrester concluded that the cost of a data breach varies widely, from about US$90 to $305 per customer record, depending whether the breach is “low-profile” or “high-profile” and the company in a non-regulated or highly regulated area, such as banking.
The Forrester report notes this is higher than findings made by the Ponemon Institute and others industry experts that typically cite costs associated with a data breach to be in the $50 range per customer record to cover legal fees, notification costs, increased call centre costs, marketing and public relations expenses.
In counting up costs to cope with a security breach involving sensitive data, Forrester reckons it costs $50 just for the discovery, notification and response that brings in unexpected expenses associated with legal counsel, call centres and mail notification.
Lost employee productivity would range from $20 per customer record to $30, while the “opportunity costs” in lost customers and difficulty in getting new ones would range from $20 for a “low-profile breach” in a non-regulated industry to $100 for a “high-profile breach” in a regulated one.
Regulatory fines could also be incurred in regulated industries to the tune of $25 to $60 per customer record. Credit card replacement costs or civil penalties cost easily add up to $25, Forrester reckons.
Though it may seem hard to estimate a dollar value associated with a data breach, “focus on cost per record versus overall costs,” the Forrester report advises. The IT division should use the estimates simply as a starting point in interacting with the business side in estimating costs.