Nov 29 2008   1:47AM GMT

What does a Data Breach REALLY Cost?

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

If you want to experience pain in the corporate wallet, I invite you to go to the Data Loss Cost Calculator. Plug in some numbers and look at the costs in the different regulatory penalties, attorney fees, investigation costs, etc. I recently completed a SMALL forensics exam that cost the client in the six figures without crisis management/client notifications.

A survey conducted by the Ponemon Institute (you need to give up info to access the study, unfortunately) found that 58% of respondents who had received notification that their personal information had been compromised by a data breach had lost confidence in the company and that 31% planned to cease doing business with the company. The cost of a data breach is estimated at $197.00 per record.

The actual cost to the consumer (you and me) is usually estimated based on identity theft statistics. Not every data breach results in identity theft. But the potential for identity theft automatically exists for every data breach. This is what business is forced to address, and rightly so. We have to endure the inconvenience of changed credit card numbers, and other minutia for data breaches. The cost to consumers for identity theft is much larger.

Best case estimates are that it takes between 25-40 hours of the consumer’s time (you and me) and a cost of $5720.00, according to But consider also that the consumer (you and me) may be dealing with the trail of the identity theft for up to 10 years or more. What fun. No wonder they’re suing.

Those of us working in small organizations often think we are somehow “immune” from data theft. It’s kind of like planning for your own funeral – no one wants to think about it. But when it happens, what’s your plan? Are bits and pieces inside your Disaster Recovery Plan and/or your Incident Response Plan? Has your company done an impact analysis?

Keep in mind that many smaller companies do not recover from data breaches; if you lost 31% of your business, would the company survive?

A business impact analysis of the cost of damage recovery should include the following:

• Investigation costs
• Remediation costs
• System updating
• Outside forensic consultant fees
• Downtime related costs:
Loss of productivity
DR deployment
Employee downtime or overtime
• Legal fees, court costs
• Replacement and/or retraining of employees
• Loss of intellectual property
• Possible replacement of equipment
• PR costs to recover reputation
• Regulatory fines

It’s better to plan the funeral and hope you survive the service. Having a plan will keep you out of the unemployment line.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: