Based on several projects I’ve worked on over the past few years, I've seen that organizations are trying to understand the costs of data breaches, but in many cases, these numbers are difficult to quantify. I’ve conducted some research on this question, specifically on both the hard and soft costs of a data breach, and I’d like to share with you my thoughts on the cost of a data breach, based on what I’ve learned so far.
The Average Size of a Breach Has Increased in the Past Two Years
The first item, one that came a surprise to me, is that the average reported breach size in 2018 for a health payer (e.g. insurance company) was approximately 59,000 records. Note that in 2016 this number was 17,000 so the size of breaches has tripled in the last 2 years. Additionally, of those same reported breaches, an estimated 80 percent involved 100,000 or more records, and about 90 percent were more than 17,000 records. (Source: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf)
So while the average-size breach may be around 59,000 records, organizations can experience many more smaller breaches throughout a given year, and they may be susceptible to multiple smaller breaches in a given year. Given this vulnerability, it is extremely prudent for organizations to address this issue, especially since the cost to reduce the risk is a fraction of the potential costs of a breach—costs which range from loss of business, to credit monitoring services, to regulatory penalties, and the potential costs of class action lawsuits.
But, as I said, many of our clients want to understand the costs of a breach. While it may be difficult to project an exact cost, I did identify some common factors in a breach, from both a hard- and soft-dollar standpoint. Here’s an overview of what I found.
Estimates for the Hard-dollar Costs of a Data Breach
The hard costs are quantifiable, and I’ll calculate them for you here, based on our average breach size of 59,000 records.
- Mailings: Typically, regulations require that an organization mail (via U.S. Postal Service) a notification to each customer affected by the data breach, and that they do so at least once (but likely twice). These costs include printing, paper, and postage, and for a breach of 59,000 records (average breach size above), at $0.50/mailing (two mailings), the costs would be $59,000.
- Post-breach identity theft/credit monitoring: It is critical to maintain credibility and customer satisfaction after a breach, and, as such, most organizations provide credit monitoring for the affected customers following a breach. Estimates of these costs are in the neighborhood of $120/year, and likely will need to cover up to 2 years of post-breach activity, resulting in a total cost of $14,1600,000 for our average-size breach of 59,000 records. (Source: http://www.nextadvisor.com/identity_theft_protection_services/compare.php)
- Fines: While differing in size for both breach type (e.g. employee negligence versus external actor) and breach size, it is likely that regulatory fines could range from $1 million to $16 million. (Source: https://www.hhs.gov/ocr/newsroom/index.html)
- Hiring of additional FTE(s): It is likely that an organization that has suffered a breach will need to hire at least one additional full-time resource to manage the reporting, tracking, and eventual remediation of the breach. Such a resource will likely cost $100,000 a year for 2 years.
Totaling it all up, for a breach of 59,000 records, expect it to cost your organization between $15.4 million and $30.4 million in hard-dollar costs alone.
But it gets worse. Don’t forget about the soft costs.
Add the Soft-dollar Costs of a Data Breach
The soft-dollar costs of a data breach are much more difficult to quantify. They’re also heavily dependent on the size of the organization in question and the size and type of the data breach itself. In general, though, the typical soft costs to consider are the following:
- Loss of revenue: Estimates are that an organization will experience a 5 to 6 percent loss in revenue for at least the first year after the breach. (Source: http://ww2.cfo.com/data-security/2015/03/calculating-colossal-cost-data-breach/)
- Class-action lawsuits: Organizations which incur a data breach are likely to be required to reimburse customers who lose money as a result of a data breach, for up to $1,000 per victim. (Source: http://ww2.cfo.com/data-security/2015/03/calculating-colossal-cost-data-breach/)
- Software costs: An organization which has suffered a data breach will need to procure and deploy additional software to track and remediate the breach, at an estimated $1,000,000 in initial costs, plus ongoing maintenance fees.
- Increased insurance costs: Following a data breach, an organization will likely incur higher cyber insurance deductibles and potentially premium increases.
- Outside counsel review: According to a report by Rand Corporation, the cost of outside counsel review can be as much as $1,800 - $210,000 per GB of data. If you think about your organization’s sensitive data footprint, you can begin to imagine the magnitude of costs associated with any litigation related to a breach. (Source: https://www.lexisnexis.com/LegalNewsRoom/litigation/b/e-brief/posts/caution).
So do some calculations. Plug in the numbers for your own organization, in each of the soft-dollar categories above. Then add these soft-dollar calculations onto to the $15.4 million - $30.4 million figure above, and voilà: That’s what you can expect a data breach to cost your company.
Soft-dollar Cost Worksheet for Data Breach
As you can see, the costs of breaches are significant—and they’re also likely to grow. The exercise above is a great start to putting together your business case for proper information governance of the information assets in your custody. If you'd like to present a more refined estimate based on your industry and potential breach sizes, we can help. You can request a complimentary estimate of what a data breach might cost your organization below.