By Ellen Messmer
In a recent survey of 83 corporate IT managers, 28 acknowledged having
had to cope with a data breach, and half of those respondents reported
significant related costs.
In its report entitled Calculating the cost of a security breach,
research firm Forrester said half of those polled cited changes to
security and auditing processes as a major cost category.
In addition, 43% said the costs of customer notification and loss of
business could be counted in the fall-out from a data breach, though
only 25% feared lawsuits and civil penalties.
In its report, Forrester concluded that the costs of a data breach vary
widely, from about $90 to $305 per customer record, depending whether
the breach is low-profile or high-profile and the company in a
non-regulated or highly regulated area, such as banking.
The Forrester report notes this is higher than findings made by the
Ponemon Institute and others industry experts that typically cite costs
associated with a data breach to be in the $50 range per customer record
to cover legal fees, notification costs, increased call center costs,
marketing and public relations expenses.
In counting up costs to cope with a security breach involving sensitive
data, Forrester reckons it costs $50 just for the discovery,
notification and response that brings in unexpected expenses associated
legal counsel, call centers and mail notification.
Lost employee productivity would range from $20 per customer record to
$30, while the opportunity costs in lost customers and difficulty in
getting new ones would range from $20 for a low-profile breach in a
non-regulated industry to $100 for a high-profile breach in a regulated
Regulatory fines could also incur in regulated industries to the tune of
$25 to $60 per customer record. Credit-card replacement costs or civil
penalties cost easily add up to $25, Forrester reckons.
Though it may seem hard to estimate a dollar value associated with a
data breach, focus on cost per record vs. overall costs, the Forrester
report advises. The IT division should use the estimates simply as a
starting point in interacting with the business side in estimating
(c) Copyright 2007 Network World Inc.
Subscribe to InfoSec News