The Cost Of Data Breaches
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View The Cost Of Data Breaches as PDF for free.
More details
- Words: 1,846
- Pages: 3
The cost of data breaches: Looking at the hard numbers
Page 1 of 3
Activate your FREE membership today | Log-in
Advanced Search | Site Index
SEARCH :
Powered by:
Microsoft Dynamics: ERP Software Your People Can Actually Use. Try It Out Free. Home > Security Tips > Compliance Counselor > The cost of data breaches: Looking at the hard numbers
Security Tips:
EMAIL THIS
TIPS & NEWSLETTERS TOPICS
COMPLIANCE COUNSELOR
The cost of data breaches: Looking at the hard numbers Khalid Kark 03.21.2007 Rating: -4.17- (out of 5)
Identity Theft and Data Security Breaches NEWS, TIPS & MORE
RSS FEEDS: Enterprise IT tips and expert advice
As the frequency and gravity of security breaches has increased over the past few years, there have been several attempts to estimate the costs associated with them. The estimates, however, have churned out vastly different figures, further adding to the confusion. For example, a U.S. Department of Justice study, published in August 2006, determined that the average loss per incident was $1.5 million. These calculations conflicted with a 2005 CSI/FBI survey that estimated the cost to be $167,000. Meanwhile, a 2006 Ponemon Institute survey figured expenses at $4.8 million per breach, while some CISOs put the cost to recover from a security incident at $1,000 per hour.
For data minders, 2007 was a year of living ... (ARTICLE) Banks agree to settle lawsuits against TJX (ARTICLE) TJX data breach costs could be settled in court ... (ARTICLE)
TJX offers $40.9 million breach settlement (ARTICLE) VIEW MORE
VENDOR CONTENT Webcast: Who's Reading Your Old Disk Drives? (WEBCAST)
[AD]
And if that dizzying array of estimates wasn't bewildering enough, a recent Forrester survey found that 25% of respondents do not know, or do not know how to determine, the cost of data security breaches. Puzzlingly, of companies that confirmed a personal data loss, 11% said that they did not incur any additional costs. But let me tell you, if you have a data breach, you will incur additional costs, significant enough to even put you out of business. Tangible costs Tangible costs are the unbudgeted expenses resulting from a security breach. These costs typically include legal fees, mail notification letters, calls to individual customers, increased call center costs and discounted product offers. Surprisingly, most estimates agree on this cost to be around $50 per record. This cost has increased slightly over previous years, but will continue to be somewhere around this number. Regulations and lost employee productivity When employees and contractors are diverted from their normal duties in order to address data breach controls, a company loses money. According to a Ponemon Institute survey, this cost had increased 100% in 2006 from $15 per record in 2005, to $30/record in 2006. The primary reason for this increase has been the growing number of entities and regulations that must be satisfied. Previously, if a company had a data breach, a security team fixed the problem, tested the mitigation and then the company resumed normal activities. Now, the threat of a data breach forces companies to satisfy the industry regulators, like the Payment Card Industry (PCI) Security Standards Council for credit card breaches, or the HIPAA auditors for healthcare regulations.
For more information on data security breach costs... According to a recent survey, data breach costs have
skyrocketed. Read more about it here. In this exclusive Security Wire Weekly podcast, Larry Ponemon talks about the difficulty of spotting data breaches. See how the TJX data breach has affected PCI compliance efforts.
As the ChoicePoint data breach has shown, where the personal financial records of more than 163,000 consumers had been compromised, the Federal Trade Commission and other judiciary committees may also get involved and impose their own requirements and restrictions. This cost is bound to increase in the future, as well.
DR Testing Techniques (VIDEOCAST) PCI Compliance Report: Cost Analysis Reveals Expense Justified (WHITE PAPER) Philips Medical Systems Cures Storage Heartache with the Intel® Entry Storage System ... (CASE STUDY) VIEW MORE
SEE ALSO Related Topics: Identity Theft and Data Security Breaches , Viruses, Worms and Other Malware, Spyware, Adware and Trojans Site Highlights: Free Online IT Training Spyware Learning Guide GET E-MAIL UPDATES Submit your e-mail below to receive Security-related news, tech tips and more, delivered to your inbox.
c Current Threats d e f g E-mail: Your E-mail Address Not a member? We'll activate your FREE membership with your subscription.
Stock price In the long run, a security breach does not have a significant effect on a company's stock price, but it could. A stock typically dips immediately after a data breach, but the price rebounds quickly, and after one year there is very little evidence of the breach affecting the stock.
The aftermath of the ChoicePoint data breach was an exception: its stock price fell 3.1% on the day the breach was reported, and then continued to fall. Five days after
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1248216,00.html
07-Jan-08
The cost of data breaches: Looking at the hard numbers
Page 2 of 3
the story made the papers, its stock plummeted by nearly 10%. Now, almost two years after the data debacle, the stock is about 20% lower. The reason for its unique long-term loss can be linked to a change in its top-line offerings. ChoicePoint reacted to the breach by dropping some of its information products. So even though a company's stock may recover soon after a security blunder, a lengthy recovery period is certainly a possibility. Opportunity cost Companies also typically experienced customer losses after a breach, but the severity varies significantly as well. Typically, banks and hospitals have had the lowest churn rates, and retail outlets have had the highest. A more significant issue at hand is the difficulty in acquiring new customers -- or new customer opportunities -- after a security breach. This number is hard to quantify, but most estimates compare these expenses to tangible costs. A Ponemon study, for example, puts opportunity cost at $98 per record, a 31% increase from 2005. This number is expected to grow as customers' security expectations increase and businesses compete on data protection technology. Regulatory requirements and fines When a breach occurs, both customers and regulators need to be satisfied. Regulators may impose additional security requirements or fines. For example, Visa levied $4.6 million in fines, penalizing companies that mismanaged sensitive customer data; the company levied $3.4 million in 2005. Similarly, ChoicePoint paid $10 million in civil penalties and $5 million in consumer redress to settle the Federal Trade Commission's demands. As laws and regulations increase, this cost will become much more significant. Conclusion All things considered, a security breach can cost you anywhere between $50 to $250 per record. Depending on how many records are at stake, individual breach costs may run into millions or even billions of dollars -- and organizations still aren't prepared to protect their environments. Although studies may not be able to determine the exact cost of a security breach in your organization, the loss of sensitive data can have a crippling impact on an organization's bottom line, especially if it is ill-equipped. About the author: Khalid Kark, CISSP, CISM is a senior analyst with Forrester Research Inc. in Cambridge, Mass., where he covers security strategy, including communication strategies, security organization, and the role of information security in corporate governance.
Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member.
Share - Digg This!
Bookmark with Del.icio.us
SECURITY RELATED LINKS Ads by Google Data Security Simplify your SMB voice and data networks & save. www.Nortel.com Sensitive Data Policy Sensitive Information Policy meets Sarbanes-Oxley Sec 404 / Security itproductivity.org Compliant with PCI DSS? Find out how GFI can help you obtain PCI DSS compliance! www.gfi.com Batch Process Simulation Process Modeling, Scheduling, Cost Analysis, and De-bottlenecking www.intelligen.com Data Loss Prevention Learn more about Proofpoint's data loss prevention & email security www.proofpoint.com
RELATED CONTENT Compliance Counselor Compliance year in review: PCI DSS progress, yet confusion abounds Why you shouldn't wager the house on risk management models Applying PCI DSS to Web application security PCI DSS emergency: What to do if you're (very) late to the game Complex password compliance requirements made simple Dissecting compliance workflow processes PCI Pain: Is it time for an overhaul? PCI Data Security Standard compliance: Setting the record straight Considerations for encryption and compliance COSO and COBIT: The value of compliance frameworks for SOX
Identity Theft and Data Security Breaches For data minders, 2007 was a year of living dangerously Lessons learned from TJX: Best practices for enterprise wireless encryption Banks agree to settle lawsuits against TJX TJX data breach costs could be settled in court appeal Sophisticated spam, employee errors continue unabated TJX offers $40.9 million breach settlement
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1248216,00.html
07-Jan-08
The cost of data breaches: Looking at the hard numbers
Page 3 of 3
Data breach costs soar Experts: Privacy and security officers living in silos Convio acknowledges security breach PCI DSS Council adding new standard for payment applications
Information Security Incident Response Data breach costs soar What are the proper procedures for handling a potential insider threat? Black Hat 2007: Estonian attacks were a cyber riot, not warfare Survey: Companies disregard data security breach risks Endpoint Security Digital forensics tool Helix 'does no harm' How should information security and networking groups coordinate firewall management? RSA Conference: Experts say companies need data theft response plans RSA Conference: Middle ground hard to find in vulnerability disclosure debate When physical and logical security converge Information Security Incident Response Research
RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm (SearchSecurity.com) CISP-PCI (SearchSecurity.com) cookie poisoning (SearchSecurity.com) drive-by pharming (SearchSecurity.com) identity theft (SearchSecurity.com) parameter tampering (SearchSecurity.com) pretexting (SearchCIO.com) Rock Phish (SearchSecurity.com)
RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.
View this month\\'s issue and subscribe today.
SEARCH :
Apply online for free conference admission.
Advanced Search | Site Index
Powered by:
About Us | Contact Us | For Advertisers | For Business Partners | Site Index | RSS TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making costeffective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines. TechTarget Corporate Web Site | Media Kits | Reprints | Site Map
All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1248216,00.html
07-Jan-08
Page 1 of 3
Activate your FREE membership today | Log-in
Advanced Search | Site Index
SEARCH :
Powered by:
Microsoft Dynamics: ERP Software Your People Can Actually Use. Try It Out Free. Home > Security Tips > Compliance Counselor > The cost of data breaches: Looking at the hard numbers
Security Tips:
EMAIL THIS
TIPS & NEWSLETTERS TOPICS
COMPLIANCE COUNSELOR
The cost of data breaches: Looking at the hard numbers Khalid Kark 03.21.2007 Rating: -4.17- (out of 5)
Identity Theft and Data Security Breaches NEWS, TIPS & MORE
RSS FEEDS: Enterprise IT tips and expert advice
As the frequency and gravity of security breaches has increased over the past few years, there have been several attempts to estimate the costs associated with them. The estimates, however, have churned out vastly different figures, further adding to the confusion. For example, a U.S. Department of Justice study, published in August 2006, determined that the average loss per incident was $1.5 million. These calculations conflicted with a 2005 CSI/FBI survey that estimated the cost to be $167,000. Meanwhile, a 2006 Ponemon Institute survey figured expenses at $4.8 million per breach, while some CISOs put the cost to recover from a security incident at $1,000 per hour.
For data minders, 2007 was a year of living ... (ARTICLE) Banks agree to settle lawsuits against TJX (ARTICLE) TJX data breach costs could be settled in court ... (ARTICLE)
TJX offers $40.9 million breach settlement (ARTICLE) VIEW MORE
VENDOR CONTENT Webcast: Who's Reading Your Old Disk Drives? (WEBCAST)
[AD]
And if that dizzying array of estimates wasn't bewildering enough, a recent Forrester survey found that 25% of respondents do not know, or do not know how to determine, the cost of data security breaches. Puzzlingly, of companies that confirmed a personal data loss, 11% said that they did not incur any additional costs. But let me tell you, if you have a data breach, you will incur additional costs, significant enough to even put you out of business. Tangible costs Tangible costs are the unbudgeted expenses resulting from a security breach. These costs typically include legal fees, mail notification letters, calls to individual customers, increased call center costs and discounted product offers. Surprisingly, most estimates agree on this cost to be around $50 per record. This cost has increased slightly over previous years, but will continue to be somewhere around this number. Regulations and lost employee productivity When employees and contractors are diverted from their normal duties in order to address data breach controls, a company loses money. According to a Ponemon Institute survey, this cost had increased 100% in 2006 from $15 per record in 2005, to $30/record in 2006. The primary reason for this increase has been the growing number of entities and regulations that must be satisfied. Previously, if a company had a data breach, a security team fixed the problem, tested the mitigation and then the company resumed normal activities. Now, the threat of a data breach forces companies to satisfy the industry regulators, like the Payment Card Industry (PCI) Security Standards Council for credit card breaches, or the HIPAA auditors for healthcare regulations.
For more information on data security breach costs... According to a recent survey, data breach costs have
skyrocketed. Read more about it here. In this exclusive Security Wire Weekly podcast, Larry Ponemon talks about the difficulty of spotting data breaches. See how the TJX data breach has affected PCI compliance efforts.
As the ChoicePoint data breach has shown, where the personal financial records of more than 163,000 consumers had been compromised, the Federal Trade Commission and other judiciary committees may also get involved and impose their own requirements and restrictions. This cost is bound to increase in the future, as well.
DR Testing Techniques (VIDEOCAST) PCI Compliance Report: Cost Analysis Reveals Expense Justified (WHITE PAPER) Philips Medical Systems Cures Storage Heartache with the Intel® Entry Storage System ... (CASE STUDY) VIEW MORE
SEE ALSO Related Topics: Identity Theft and Data Security Breaches , Viruses, Worms and Other Malware, Spyware, Adware and Trojans Site Highlights: Free Online IT Training Spyware Learning Guide GET E-MAIL UPDATES Submit your e-mail below to receive Security-related news, tech tips and more, delivered to your inbox.
c Current Threats d e f g E-mail: Your E-mail Address Not a member? We'll activate your FREE membership with your subscription.
Stock price In the long run, a security breach does not have a significant effect on a company's stock price, but it could. A stock typically dips immediately after a data breach, but the price rebounds quickly, and after one year there is very little evidence of the breach affecting the stock.
The aftermath of the ChoicePoint data breach was an exception: its stock price fell 3.1% on the day the breach was reported, and then continued to fall. Five days after
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1248216,00.html
07-Jan-08
The cost of data breaches: Looking at the hard numbers
Page 2 of 3
the story made the papers, its stock plummeted by nearly 10%. Now, almost two years after the data debacle, the stock is about 20% lower. The reason for its unique long-term loss can be linked to a change in its top-line offerings. ChoicePoint reacted to the breach by dropping some of its information products. So even though a company's stock may recover soon after a security blunder, a lengthy recovery period is certainly a possibility. Opportunity cost Companies also typically experienced customer losses after a breach, but the severity varies significantly as well. Typically, banks and hospitals have had the lowest churn rates, and retail outlets have had the highest. A more significant issue at hand is the difficulty in acquiring new customers -- or new customer opportunities -- after a security breach. This number is hard to quantify, but most estimates compare these expenses to tangible costs. A Ponemon study, for example, puts opportunity cost at $98 per record, a 31% increase from 2005. This number is expected to grow as customers' security expectations increase and businesses compete on data protection technology. Regulatory requirements and fines When a breach occurs, both customers and regulators need to be satisfied. Regulators may impose additional security requirements or fines. For example, Visa levied $4.6 million in fines, penalizing companies that mismanaged sensitive customer data; the company levied $3.4 million in 2005. Similarly, ChoicePoint paid $10 million in civil penalties and $5 million in consumer redress to settle the Federal Trade Commission's demands. As laws and regulations increase, this cost will become much more significant. Conclusion All things considered, a security breach can cost you anywhere between $50 to $250 per record. Depending on how many records are at stake, individual breach costs may run into millions or even billions of dollars -- and organizations still aren't prepared to protect their environments. Although studies may not be able to determine the exact cost of a security breach in your organization, the loss of sensitive data can have a crippling impact on an organization's bottom line, especially if it is ill-equipped. About the author: Khalid Kark, CISSP, CISM is a senior analyst with Forrester Research Inc. in Cambridge, Mass., where he covers security strategy, including communication strategies, security organization, and the role of information security in corporate governance.
Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member.
Share - Digg This!
Bookmark with Del.icio.us
SECURITY RELATED LINKS Ads by Google Data Security Simplify your SMB voice and data networks & save. www.Nortel.com Sensitive Data Policy Sensitive Information Policy meets Sarbanes-Oxley Sec 404 / Security itproductivity.org Compliant with PCI DSS? Find out how GFI can help you obtain PCI DSS compliance! www.gfi.com Batch Process Simulation Process Modeling, Scheduling, Cost Analysis, and De-bottlenecking www.intelligen.com Data Loss Prevention Learn more about Proofpoint's data loss prevention & email security www.proofpoint.com
RELATED CONTENT Compliance Counselor Compliance year in review: PCI DSS progress, yet confusion abounds Why you shouldn't wager the house on risk management models Applying PCI DSS to Web application security PCI DSS emergency: What to do if you're (very) late to the game Complex password compliance requirements made simple Dissecting compliance workflow processes PCI Pain: Is it time for an overhaul? PCI Data Security Standard compliance: Setting the record straight Considerations for encryption and compliance COSO and COBIT: The value of compliance frameworks for SOX
Identity Theft and Data Security Breaches For data minders, 2007 was a year of living dangerously Lessons learned from TJX: Best practices for enterprise wireless encryption Banks agree to settle lawsuits against TJX TJX data breach costs could be settled in court appeal Sophisticated spam, employee errors continue unabated TJX offers $40.9 million breach settlement
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1248216,00.html
07-Jan-08
The cost of data breaches: Looking at the hard numbers
Page 3 of 3
Data breach costs soar Experts: Privacy and security officers living in silos Convio acknowledges security breach PCI DSS Council adding new standard for payment applications
Information Security Incident Response Data breach costs soar What are the proper procedures for handling a potential insider threat? Black Hat 2007: Estonian attacks were a cyber riot, not warfare Survey: Companies disregard data security breach risks Endpoint Security Digital forensics tool Helix 'does no harm' How should information security and networking groups coordinate firewall management? RSA Conference: Experts say companies need data theft response plans RSA Conference: Middle ground hard to find in vulnerability disclosure debate When physical and logical security converge Information Security Incident Response Research
RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm (SearchSecurity.com) CISP-PCI (SearchSecurity.com) cookie poisoning (SearchSecurity.com) drive-by pharming (SearchSecurity.com) identity theft (SearchSecurity.com) parameter tampering (SearchSecurity.com) pretexting (SearchCIO.com) Rock Phish (SearchSecurity.com)
RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.
View this month\\'s issue and subscribe today.
SEARCH :
Apply online for free conference admission.
Advanced Search | Site Index
Powered by:
About Us | Contact Us | For Advertisers | For Business Partners | Site Index | RSS TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making costeffective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines. TechTarget Corporate Web Site | Media Kits | Reprints | Site Map
All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1248216,00.html
07-Jan-08
Related Documents
The Cost Of Data Breaches
April 2020 12
Cost Data
April 2020 12
The Cost Of Discipleship
December 2019 17
The Cost Of Cool
June 2020 7
The Cost Of Gratefulness
June 2020 6