Everyone knows that security breaches cost money. Increasingly, people are trying to quantify how much, and what the costs are to protect the data more fully before a problem occurs.
This intriguing Help Net Security piece is one such attempt. The writer discusses TJX which, having lost about 45 million records, is the poster child for bad data security. The story says the cost of the company's massive failure to date is $17 million. That's a partial price tag, however. A lot of the costs will not be known for a long time and, indeed, that figure likely will grow radically.
Every lost piece of data carries multiple costs. Some examples: There are liabilities to customers, partners and others whose information is compromised. There is time lost taking systems offline to do the forensics necessary to find out what went wrong. There is software and other upgrades to make sure the problem doesn't recur. Keep in mind that the personnel performing these tasks aren't doing other things that would be benefiting the company.
The heart of the piece is a series of six questions that will help create a return on investment calculation to justify additional security. Such a figure, of course, can help win the funding that is necessary to avoid the problem in the future. It's also safe to say that getting data protection funded may be easier after a breach occurs.
An even more specific way to trace the cost of a breach recently was released. Darwin Professional Underwriters' Tech//404 Data Loss Cost Calculator divides the cost of losses into three categories: internal investigation (with two subcategories), notification crisis management (four subcategories) and regulatory compliance (three subcategories). The numbers are frightening. For instance, the loss of 400,000 records has a range of $5,320,704 to $7,981,056. This doesn't count civil suit damages, which can run to thousands of dollars per record lost.
Though those numbers are high, neither the calculator nor the Help Net piece sheds light on the greatest price of a security failure: the cost to a company's reputation. The Help Net writer mentions it, but remains vague because it is an intangible. It's difficult to do more than estimate how many people leave after a breach, and it's impossible to say how many potential customers and partners shy away from a first contact because the organization's name has been sullied. It's probably a good thing that security staffs don't see these numbers. They would cause a lot of sleepless nights.
The axiom -- and one that is totally true -- is that the cost of prevention is far less than the costs incurred by a breach. Indeed, the scary numbers and just as scary lack of predictability are leading companies to carry data breach insurance and roll out encryption, which can obviate legal liability.