Quantifying Return on Privacy Spend - 6 Criteria

The cost of privacy efforts is one of the most intractable categories of business spend. Most of the savings a firm can realize for their significant expenditures is akin to “what’s the color of the bus that didn’t hit me?” – that is, cost and risk avoidance. Risk avoidance is important, but hard to quantify, and therefore hard to justify expenditures on.

Despite the difficulty of quantifying the return on investment in privacy, few firms would argue that privacy isn’t worth investing in. At the firms Doculabs works with, nearly all attempt to define some form of justification for spend on privacy — and nearly all struggle to articulate that justification. Regardless, putting in the effort to define (however imperfectly) the ROI of privacy, delivers benefits – one of which is a baseline to judge the success of effort and investment.

There are a number of possible criteria for quantifying return on privacy spend. In this post we provide a high-level introduction to those criteria. You can download our comprehensive white paper for a more thorough discussion.

6 Possible Criteria for Quantifying Return on Privacy Spend:

  1. Cost per record for a breach (e.g., PHI, PCI, PII)
  2. Average cost per breach
  3. Costs of expected lawsuits
  4. Costs of public relations mitigation
  5. Loss of revenue
  6. Reputational Damage

1. Cost Per Record for a Breach

Estimating the cost of a breach by multiplying the typical fine per record by the likely number of records at risk is perhaps the most straightforward way to quantify the dollar value of investments in privacy. The math is simple: what are the mandated fines for a record of PHI, for example? How many records of PHI do we have on our systems? The current dollar risk we’re carrying is the first number times the second. There are caveats though. You can download the full white paper to learn why and what those are.

2. Average Cost Per Breach

Average cost criteria per breach is similar to cost per record in that it aggregates the breached records into incidents; it has mostly the same benefits and challenges. Basically, you can look at publicly available numbers for cost per breach and then, factoring in for industry, organization size, etc., use them to estimate what breaches would cost in general for your organization. Then, you would estimate how many breaches per year (or over a multi-year timeframe) you should expect to experience, calculate the costs, and then compare to the costs of remediation.

3. Costs of Expected Lawsuits

Lawsuits are similar to the first two criteria in that they’re event based and measurable; however, they differ in two important ways. There aren’t hard and fast dollars mandated for non-compliance, and internal costs for litigation are often unknown. These don’t entirely disqualify using litigation costs as drivers for your privacy business case, but they do constrain the nature of your claims in important ways.

4. Costs of Public Relations Mitigation

This criterion brings us to the less tangible, (but nonetheless important) criteria. Unless your organization has experienced multiple PR disasters, it will be hard to get your arms around what the PR costs of a breach are. If, in contrast, your organization has good experience with PR meltdowns, calculating costs of the PR response to privacy incidents is relatively straightforward: get the costs per incident over X timeframe, average it out, normalize for the effort required for a privacy incident, and plug that into your business case.

5. Loss of Revenue

Loss of revenue is an even fuzzier criteria than PR response costs. On the one hand, it’s because revenue loss can be due to a variety of factors: loss of customers, loss of market share, exclusion from product categories or channels, etc. On the other, it’s because — beyond core business metrics for measuring profitability (like cost of goods sold, average deal size, etc.) — many organizations don’t have a granular understanding of revenue generation. With this criterion we’re potentially in the world of unhinged speculation.

6. Reputational Damage

In terms of quantifying the returns on privacy investments, with reputational damage we go from bad to worse for most organizations. Part of this is the extreme difficulty of quantifying reputation damage following a privacy incident. But more significantly, U.S. consumers have a notoriously short memory for corporate failings. And even if we noticed a drop in customers after a privacy incident, for example, this could be due to normal fluctuations, adverse weather, the larger economy, or other factors. So, as with loss of revenue, using reputational damage as a key lever for justifying privacy investment tends to be a losing bet.

For a more details and calculation guidance for these criteria, download The Business Value of Privacy white paper.

New call-to-action

Rich Medina
Joe Shepley
I’m VP and Practice Lead, focusing on developing Doculabs’ InfoSec practice and its applications in a wide range of industries.