Does anyone know the real cost of a data breach? This is a question that has been asked both in the board room and by researchers in the security industry ever since the first big data breaches began grabbing major headlines more than a decade ago.
Recent events and the rise in mega breaches are shedding light on how much mega data breaches can cost companies. Yahoo is just beginning to comprehend the cost of its data breach. The latest news reports say it may end up costing the company and its shareholders one billion dollars. At least that is the discount Verizon is reportedly considering following its $4.8 billion offer to purchase the company.
Home Depot and Target also experienced data breaches that exposed tens of millions of financial and personal data records and cost the two companies a combined $556 million based on their filings with the Securities and Exchange Commission. Data breaches costs are very real, but exact numbers can be elusive and both tangible and intangible. In May 2015, the Ponemon Institute placed the cost of an individual data breach at $3.5 million, up 15 percent increase from last year.
Regardless, the costs are many. Banks, payment card processors, and consumers can sue for losses. Breached companies often pay for free credit monitoring services for affected customers. There are the investigative costs to find out the cause and extent of the breach.
Of course, there is the hit to the company’s stock price, an increase in security investments, the potential for lost business and reputational damage. Within the company, there can be lost productivity or internal distractions. Lastly, another emerging monetary and time intensive cost is government fines and penalties.
The U.S. government has taken steps to increase data breach transparency, citizen privacy and security awareness when a major data breach is disclosed. The companies are investigated by government officials and often end up paying fines and settlements.
Morgan Stanley recently agreed to pay a $1 million penalty after 730,000 accounts were compromised due to an insider threat. The actual cost per account is about $1.37 and most likely doesn’t cover all costs and ramifications of the breach. The true cost of a data breach would also need to calculate the third-party repercussions from the attack such as an identity fraud, credit card fraud or access to other accounts like online banking.
While there is still a long way to go in securing the breach, the breach is no longer an obscure or taboo issue. More and more people and enterprises have been impacted by a data breach and as a result are more engaged on the topic. Based on the trends we see, there are three main points contributing to the shift in attitude.
One: Data breach costs are at least becoming more tangible. Take the Talk Talk breach as an example. Even though cost of the breach was relatively small, the breach hurt the company to the core. We are told that the hit on the company was tougher than initially hoped. The breach and resulting actions cost the company 60 million pounds — nearly double what was anticipated in the days following the breach. To put this another way, it’s roughly the same amount as the company’s entire profit for 2014.
Two: Consumers Are Becoming More Aware of their Risk Exposure. Costs to consumers have been largely unexplored. A Rand study found that the median cost to a consumer was $500 based on participating respondents. Median dollar values were higher if health information ($1,000), social security numbers ($1,000), or other financial information ($864) was compromised. Today, consumers have a better understanding of cybersecurity and no longer want to deal with the headache of fraud when there are preventative measures.
Three: The impact on the average company. Large companies like Target, Home Depot, and Yahoo can absorb the costs of a massive breach. For companies that are not doing well financially, a data breach can be the straw that breaks the proverbial camel’s back. And for small companies, the risks of rolling the dice on security are no longer acceptable.
Breaches will continue to occur and the more connected devices there are, the greater the prize is for hackers. In this digital world, the only way to protect data is to kill it, and that means to encrypt it. The good news is security doesn’t have to be only a cost without reward. Many enterprises adding security to existing services are finding it can also be a business enabler.
(About the author: Jason Hart is vice president and chief technology officer of data protection at Gemalto, a world leader in digital security. Hart is a former ethical hacker with 20 years of experience in the information security industry and a long list of professional credits.)