As data becomes increasingly valuable, the risk of a data breach is on the rise. Its costs cannot be ignored. A recent report from the Ponemon Institute shows that the total cost of a data breach in 2011 comes to USD 5.5 million for companies in the US, USD 4.4 million in Germany and USD 2.7 million in the UK. The report also takes a look into what makes up these hefty figures and has broken them down into four components:
- Detection and escalation costs;
- Costs of notification;
- Loss of business; and
- Post data breach costs.
Detection and escalation costs includes forensic and investigative activities, assessment and audit services, crisis team management, and communications to executive management and board of directors.
Costs of notification includes determination of all regulatory requirements, creation of contact databases, engagement of outside experts, postal expenditures, etc.
Lost business costs is the most significant financial consequence, and includes reputation losses and diminished goodwill.
Post data breach costs covers special investigative activities, remediation activities, legal expenditures, product discounts, identity protection services and regulatory interventions as well as administrative expenditures such as help desk activities and inbound communications.
Case Study: TJX
Besides these four components, there are other potential costs as illustrated in a data breach suffered by TJX, the parent company of T K Maxx. In early 2007, TJX announced that it had 45 million customer records stolen by hackers over a 18-month period. It was reported that the cost for this breach could be as high as USD 1.6 billion.
The biggest costs came from contacting and offering assistance to affected customers. Each customer record was assumed to cost TJX USD 5 to service. 20 percent of those whose data was breached will request a credit watch, resulting in a total bill of USD 1.24 billion.
Other significant costs in the quarter following the breach include legal advice (USD 12 million per year), public relations (USD 3.4 million), internal investigations (USD 8.1 million) and regulatory fines (USD 1.5 million).
TJX also faced several class-action lawsuits filed in a number of US states and was sued by the various banks, including the Massachusetts Bankers Association (MBA), which represented the banks which had incurred loss allegedly in connection with the TJX data breach. The parties eventually settled for USD 41 million.
However, these lawsuits from the banks had a bigger financial impact beyond that. In the initial fortnight following the announcement of the data breach, TJX experienced a 1.7 percent decrease in stock price. This is in line with percentage price drops for other companies that have announced similar security breaches. However, TJX stock price fell for another 3.6 percent, following a lawsuit filed by a bank and a call by a US Representative for the FTC to investigate the breach. In total TJX fell more than 5 percent within five days.
What Could Be Done
The Ponemon Institute report states that on average, one leaked record costs USD 194 in the US, followed by USD 191 in Germany and USD 124 in the UK. However, in the US, having a chief information security officer responsible for data protection could save as much as USD 80 per record. Preventative measures are clearly the best way to avoid the substantial costs of a data breach. In addition, with malicious or criminal attacks on the rise, companies should take steps to address the risk of a data breach by having appropriate policies in place.