Quantifying Security Breaches: They’re More Expensive Than You Think
Let’s talk breaches. Actually, let’s talk about the bottom line of breaches which is, go figure, your bottom line. And whether you're a provider or a consumer, major security and data breaches will hit you where it counts: your wallet.
For those organizations that fear the economic impact of a breach, there’s good reason to worry. According to the Ponemon Institute’s 2014 Cost of a Data Breach Study: Global Analysis, companies spent 15 percent more dealing with data breaches in 2013 than they did in 2012, with the average cost to a company sitting at $3.5 million U.S.
Having reviewed the high-level findings of the Ponemon report, I started looking into total reported costs of security breaches. What I found was interesting; a lot of “estimated” costs, but few hard and fast figures. And as I dug through announcements and reports, I drew what I feel are some reasonable conclusions: 1) costs related to breaches pile up over years, not months; 2) most estimates focus only on the organization responsible for the breach, not the outliers who also incur costs; and 3) in almost all cases, an organization will never be able to accurately quantify the full impact of a breach.
Leaking Cash over Time
Yes, there are clear actions to take in the initial response to security and data breaches. And, yes, those actions cost money. But that’s just the start of the drain. Fines, lawsuits, and other expenses often take years to resolve. Take these as examples:
- Following a significant and widely reported breach on its PlayStation Network, Qriocity, and other online properties in 2011, Sony reported spent $171 million related to security upgrades and customer support activities through 2012. But costs related to the breach are still stacking up, including a nearly $400,000 fine imposed in 2013 by the UK’s Information Commissioner’s Office and a pending resolution on a class action lawsuit (the company has agreed to a preliminary settlement valued at $15 million, but the judge’s decision isn’t expected until 2015).
- The Target breach that occurred in late 2013 exposed 40 million credit card numbers and the personal data of 70 million customers. CBS News recently reported that Target expects to include net pre-tax expenses of $129 million (which equated to $0.13 a share) this year to deal with the fallout related to the breach.
- Global Payments Inc. announced a data breach in 2012 that left as many as 7 million accounts exposed, according to industry experts. In April 2013, the company reported it had paid $92.7 million in costs related to breach investigation and remediation, fines, and compliance activities.
- Earlier this month, LinkedIn agreed to pay $1.25 million to settle a class-action lawsuit that was filed following a 2012 breach.
Looking Beyond the Responsible Party
Naturally, the organization that’s in the cross-hairs from the perspective of consumers and reporters is bound to gain the most attention in the aftermath of a breach. But this is far from the only party that bears costs related to a security or data leak:
- The data that was stolen in the Global Payments breach was used by thieves to counterfeit new prepaid cards. BackgroundChecks.org reported that Union Savings Bank suffered approximately $85,000 in related expenses and that Fulton Band of New Jersey saw about 1,000 stolen accounts every week during the peak of these activities. ZDNet reported on a Javelin Strategy & Research case study related to the Global Payments breach, which estimated that $707 million in fraudulent charges were likely to occur on the 1.5 million cards known to be compromised in the breach. Javelin expects consumers to foot the bill for about $152 million of that fraud.
- In February 2014, the Consumer Bankers Association (CBA) reported that credit unions and banks are expected to absorb more than $200 million in costs associated with the Target breach. CBA expects the costs of card replacements will reach $172 million, and the Credit Union National Association (CUNA) reported more than $30 million in expenses to credit unions. In both cases, those figures were more than 10% higher than initial estimates.
- A recent Community Health Systems breach, which exposed 4.5 million patients’ data in 29 states, could cost the organization upwards of $150 million by some estimates. But the biggest hit is likely to be to the general public, which is already footing astronomical costs associated with health care fraud. With all those new Social Security numbers out in the open, it’s only going to get worse.
Take That Estimated Cost and…Double It? Triple It? Maybe That and More.
In my mind, there is no real way to fully quantify the effects of a breach. Why? Because you simply cannot know how much business a slip in security will cost you over time. Sure, you may know how many customers cancel accounts or subscriptions in the aftermath of a breach. But you won’t know how many customers cut back on what they do with you or how many customers you’ll lose out on because of a lack of trust. And this isn’t a short-term proposition; with major breaches, an organization’s brand image will take a hit every time it’s mentioned in the press. Take Sony, for example; the news of its Playstation Network breach first broke back in 2011, but it will be a headline until at least 2015 due to the pending resolution of the class-action suit.
Customers and brand image are an all-important — and expensive — consideration following a breach, as evidenced by this excerpt from the Ponemon Institute’s blog:
Critical to controlling costs is keeping customers from leaving. The [Cost of a Data Breach] research reveals that reputation and the loss of customer loyalty does the most damage to the bottom line. In the aftermath of a breach, companies find they must spend heavily to regain their brand image and acquire new customers. Our report also shows that certain industries, such as pharmaceutical companies, financial services and healthcare, experience a high customer turnover. In the aftermath of a data breach, these companies need to be especially focused on the concerns of their customers.
Time to Batten Down the Hatches
Clearly, the most cost-effective breach is no breach at all. As you think about how you can prevent data from slipping through the cracks, it’s important to recognize network security is just one component of an effective security plan. Because the reality is that every employee is a potential breach point.
The most effective approach is one that puts all hands on deck. Now is the time to increase security awareness throughout your organization and educate your employees about how they can become a stronger line of defense against breaches.
Find out how Wombat Security’s Security Awareness and Training Methodology helps organizations change employee behaviors and reduce risk.