-
Russell Mickler, Principal Consultant, has over 17 years of professional experience leading and managing IT organizations.
The Cost of Data Breach
Written on April 14, 2007
Leave a Comment
|
So I was skimming the trades and encountered an article that indicated UPS lost a tape for one of their customers, People’s Bank, in January containing data on 90,000 customers who use its personal credit-line services. It contained addresses, names, SSN’s.
What is the cost of a data breach? Perhaps the easiest to quantify would be the cost to People’s Bank who must now field phone calls, letters, updates, internal investigations and external audits, and credit reporting bills for their customers. Indirectly, People’s Bank and UPS must contend with the media exposure a breach like this causes, government investigation and intrusion into their business processes, and deal with the inevitable impact upon brand, stock price, and the longevity of consumer memory.
There was a high-profile case out in my neck of the woods a year and a half ago. Providence Health Systems of Portland, OR had system administrators take backup tapes off-site, meaning they would travel outside of the control of the company and to their homes and vehicles. Turns out these tapes were stollen from the van of one of the system admins. The tapes had PHI (Private Health Information) concerning some 350,000 patients of Providence.
A Providence official told the Portland Oregonian that the case, excluding litigation fees, to cost from $7 million to $9 million, including the costs of providing affected patience with access to credit monitoring and restoration services; also, this figure excludes the future possibility of tort brought by state agencies and individuals damaged by the exposure.
The direct costs seem simple enough to compute and there are noteworthy studies. Forrester recently looked at 28 companies that had data breaches and estimated an exposure cost of $90 – $305 per record, where the variability depended upon the public profile of the breach and to regulatory controls that may apply to the data. Using these kinds of numbers, the recent TJX theft of over 45 million records would yield, conservitively, a $4.05 billion (with a B) pricetag.
Billions? Spending on stronger data breach control mechanisms is looking like a more positive ROI all the time. Yet, if we still need convincing, Darwin Professional Underwriters – an insurance company – analyzed data from media reports and other sources to come up with cost algorithms for an online calculator for financial risk of data loss/exposure.
I tried the 45 million figure; it just didn’t go up that high. The calculator seemed to break. So I tried our earlier reference of 90,000 records lost from People’s Bank. That yielded a total estimate of $10.97 million in direct and indirect expenses resulting from the data theft.