When a company fails to show even basic security capabilities, causing a breach, a knowledgeable public takes their business elsewhere.
An interesting site to read through is the Ponemon Institute, which includes independent research on privacy and IT security issues.
One of studies that caught my eye involved the cost of data breach.
The study I reviewed dealt with data from 2008, and compared the data to 2007. It also reviewed the impact of both direct and indirect costs. Direct costs are the efforts taken to remediate the direct causes and cleanup of a breach. Examples would be: hiring consultants, implementing technologies, or providing credit protection. Indirect costs tend to be costs to business that are not directly attributable to a breach, yet still feel the impact of a breach. Examples would be: customer churn, lost prospects, reputational impacts, or additional support costs.
The overall result of the study shows that direct and indirect costs are rising. This reflects the vast amount of attention that has been given to breaches -- even as far as state governments legislating how the breach victims must be notified. As companies involved in data breaches learn the proper ways to handle the event, the costs will rise due to their increased engagement. In the past, a breach could be handled internally with little external involvement. No longer is this the case. A company with a breach had better be able to show due diligence by engaging professionals to remediate.
Additionally, the general public, which is increasingly plugged in and online, has become savvier regarding how their data should be handled and protected. When a company fails to show even basic security capabilities, causing a breach, a knowledgeable public takes their business elsewhere.
Something to note is that customer churn rates due to a breach event were highest in the healthcare industry. It seems folks care more about their doctors/hospitals losing their information than they do their financial institutions.
One of the most relevant discoveries in this report is that breaches involving third-party or partner mistakes are the most expensive to remediate, and that 44% of the breaches reviewed involved third-parties. There is not really a good reason as to why third-party involvement causes a breach to be more expensive, but we can guess that inefficiencies are introduced when a third-party must be taken into account. The lesson is to only share data with third-parties you are sure have a good security program that includes event handling capabilities.
Below are some statements directly from the report that I found relevant. These do not represent the full report, and an interested person should read directly from the links provided below.
Over the past four years, lost business cost component grew by more than $64 on a per-victim basis, or a 38% overall percentage increase. Our research finds organizations in highly trusted industries, such as banking, pharmaceuticals and healthcare, are more likely to experience a data breach with high abnormal churn rates. In contrast, retailers and companies with less direct consumer contact seem to experience a lower overall data breach cost.
The most significant cost decrease concerns ex-post response, which implies organizations are becoming more cost-efficient in their management of the data breach. Despite efficiency gains, consulting, legal defense and, as mentioned previously, lost customer business have increased in this year’s study.
The range of total cost among the 43 data breach incidents contained in this year’s study is a minimum of $613k to more than $32 million. The magnitude of the breach event ranged from 4,200 to 113,000 lost or stolen records. As in prior years, data breach cost appears to be linearly related to the size or magnitude of the breach event.
In this year’s study, average abnormal churn rates across all 43 incidents is 3.6%, which was measured by the loss of customers who were directly affected by the data breach event (i.e., typically those receiving notification). The abnormal churn or turnover rate in 2007 for customers receiving notification was 2.7%.
Healthcare and financial service companies have the highest average rate of churn at 6.5% and 5.5%, respectively. High churn rates reflect the fact that these industries manage and collect consumers’ most sensitive data. Thus, consumers may have a higher expectation for the protection and privacy of their financial and healthcare records.
Over 44% of all cases in this year’s study involved third-party mistakes or flubs. Data breaches involving outsourced data to third parties are the most costly. This could be due to additional investigation and consulting fees. As shown in Bar Chart 5, per victim cost for data breaches involving third parties is $231 versus $179, more than a $52 difference.
Further Reading