Pain, Angst and Time – the real cost of a data breach.

Written By:
Content Copyright © 2007 Bloor. All Rights Reserved.

The appalling circumstances surrounding the loss of the
HMRC data disks has been well documented in the seething press and blogsphere
over the past few days, but what is the real cost of a data breach, in plain
old monetary terms?

Understanding the details of any data breach is
difficult. Historically these breaches may be shrouded in secrecy as the
offending organisation tries to bury its bad news or keep it a private matter
away from customer’s eyes. This strategy was blown out the water with the first
data breach notification requirements enacted by the US state of California in
2003 compelling organisations or government agencies to ‘fess up if they have
lost personal information belonging to employees, customers or other individuals.
This breach can be as a result of a technical malfunction, human error or
malicious acts and applied to any business or organisation that “conducts
business in California”. To date 35 forward looking states in the US have
enacted similar legislation.

The good news for organisations is that there may be
circumstances when a data breach is not technically a data breach, and
therefore a notification does not need to happen.


  • If data has been
    encrypted beyond 128-bit
  • The breached
    data is not considered “protected”
  • The breach was
    stopped before the data was unlawfully acquired
  • Special
    circumstances apply (i.e. national security concerns)

Since January 2005 the Privacy Rights Clearing House in
the US has identified more than 215 million records of US residents that have
been exposed to security breaches.

A recently published update report from the respected
Ponemon Institute, sponsored by PGP Corporation and Vontu, (details here)
lays out in some detail the costs
associated with typical data breaches. The value of this report is huge, as the
data it uses has been collected from 35 organisations that have been through
the pain of a data loss episode, and are therefore well placed to cite the real
costs and implications to their businesses. The breaches analysed ranged from
4,000 to 125,000 records across 15 different industry sectors.

This is the third annual survey from the Ponemon
Institute covering this topic so we can now start to undertake some trend

The total cost of a breach rose to an average $197 per
record, up 8% on 2006 and 43% on 2005. The average cost of a breach was $6.3
million. The cost of associated lost business increased by more than 30% and
averaged at $128 per record compromised.

A UK specific version of this report is due out early
next year, and it will be interesting to compare the costs of UK breaches vs.
US breaches. For example, are legal costs less in the UK?

No matter what the individual monetary cost of a breach
is, the reality is that it causes no end of trouble to the individual that has
been exposed, as millions of subjected to the incompetence of HMRC are finding
out. The costs in angst, time and effort of this breach is something that can’t
be measured in pure monetary terms.