So, how much does it cost to deal with an IT security breach involving sensitive business records or customer data? The quick answer, depending on the size of your enterprise and the size of the breach, is that such an incident could literally cost you and your company everything.
Here’s the slightly more detailed answer: More than you ever want to know. Ever.
But let’s put some numbers on the problem, just to give you a sense of context. Here are some estimates of the immediate cost of a data-breach incident:
- $6.75 million per incident in the U.S., according to some sources
- $3.43 million per incident on average internationally
- $200+ per compromised record, on average
But the actual financial impact of a data breach needs to include the costs of dealing with the aftermath of such an incident — and that means pushing those numbers far higher. A recent Ponemon study, for example, found that “nearly half of the total cost of a data breach was the result of lost consumer confidence."
Nor is financial quantification alone particularly helpful when thinking about those costs. A major, catastrophic, public data breach can turn very quickly into a worst-case scenario for a company’s brand integrity and image. Think BP, only you're leaking private information along with customer confidence and cash.
The consequences and costs of even a small breach will spread both fast and wide. Here, to wit, are a dozen unpleasant outcomes to think about:
- Operations time lost while breached and compromised systems and configurations are shut down and resecured.
- Loss of business focus as the enterprise shifts necessary resources and personnel to damage control, security remediation, and replacing any employees terminated as a result of the breach (or any who abandons ship if the breach is bad enough).
- Customers who lose confidence in your company and jump ship to competitors.
- Lost new business due to customers who learn of the data breach (or are told about it by your competitors). At best, your sales force may have a tougher time landing new customers after a well-publicized breach.
- Damage to employee morale and confidence, potentially across the board.
- Time spent in meetings, communications and other activities required to rebuild morale, or at least try to do so.
- Legal fees for dealing with customer damages (and possible class action suits in some cases) and responding to federal and state compliance and regulatory investigations.
- Legal fees for suing vendors who may have been involved in the data breach incident, such as through negligence or faulty procedures.
- Increased public relations and advertising costs, including the cost of specialized “crisis PR” experts.
- Distracted and defensive management faced with angry customers, unhappy employees and way too many hours spent huddled with attorneys and regulators.
- The cost of replacing a management team held responsible for a data breach incident — possibly including senior IT staff up to and including the CIO.
- The opportunity cost involved in giving the company time to return to "normal" — if it ever does. It’s especially hard to quantify this impact, but anyone who's been through a breach and its aftermath will know what I mean.
That's what I meant at the beginning when I said that a breach could cost you more than you want to know. Probably what I should have said is that a data breach's costs are more than you ever want to find out.
And I only listed a dozen here. How many hundreds have I left out?