It is the season for annual data breach reports to be published. This year a statistic that has raised interest is the average cost of a data breach. One report shows a figure just above $200 while another show less than $1. While, as you will see, both these numbers provide interesting guidelines, they may be irrelevant to your business.
Why the descrepancy?
When a data breach occurs there are several potential expenses a business may incur: labor to manage the incident, forensic analysis, system repairs, notification, identity theft protection, public relations, and fines just to nae a few. Many of these costs are relatively fixed regardless of the number of records involved in a breach. So the larger the breach, the low cost per record for that expense.
For example, If it costs $25,000 for forensic analysis, a breach involving 2,500 would have a cost per record of $10.00 for that component. A breach of 2.5 million records would have a cost of $0.01 per record for the forensic component.
This economy of scale makes the variance in the published numbers understandable. One estimate limits their population of breaches to by the number of records lost while the other does put a limit on the number of records.
What about your business?
In your day-to-day business you may face a number of “minor” data breaches. Mis-addressed forms sent by email or postal mail containing personal information, lost folders containing personal infromation, stolen laptops all may result in a data breach, but all of these incidents require investigation and analysis. Assuming $100 (fully burdened) per hour for labor, if this analysis takes as little as 4 person hours….well you can see where this is going.
I suggest that, in addition to taking preventative measures for “large” data breaches, businesses need to focus on the costs associated with the small, recurrent incidents to either prevent them from happening or streamline the response process. Eliminating 100 incidents per year can have a significant impact on your budget.
What should a business do?
Every business is different. Each has their own breach response plan and their own cost structure. I suggest that a business should take the time to derive a model to determine their own cost of a data breach. It should encompass the costs of just investigating an incident, the costs of a minor data breach, and a major datat breach. These numbers may be compared to the published estimates to see if your organization is in-line with those industry benchmarks.
In addition to determining an estimate for you expected costs, this activity will force the review of your response plan, an activity thoat sholud be done on a regular basis.