What’s the real cost of a data breach?
I was just reading the 2011 ISUG Report on Data Security Management Challenges that's available from the International Sybase User Group web site. You actually need to join the ISUG to get the report, although there's a free level of membership available.
This report summarizes what Unisphere Research learned from a survey of 216 members of the ISUG. I found one of the findings hard to interpret. This is what's shown in Figure 7 on page 11 of this report. The graph is captioned "Costs of Recent Data Breaches (Among respondents aware of a breach over the past 12 months)." Here's my version of it.
This is a bit hard to explain.
Other studies of the costs of data breaches have come up with much bigger estimates – typically close to $200 per record exposed and a total of over $6 million per breach. From everything that I've heard, the $6 million estimate is fairly accurate, so the ISUG number, which is roughly 100 times lower, is probably way off. It's hard to imagine that it's even possible to cover the costs of the lawyers for what the ISUG estimates is the total cost of a breach.
And you'd certainly expect more people to have an idea of how much their data breaches cost them. All they'd have to do is to remember the company meeting when the CEO said, "That data breach just cost us $8 million. Let's make sure that it doesn't happen again."
I'd say that the best explanation for this discrepancy is that the 3% in the above graph corresponds to a single person so that we're only looking at a sample of 10 people who had any idea of how much their recent breach cost them. If that's the case, such a small sample may not give very useful results. The Ponemon studies, for example, survey more people who had an idea of how much their breaches end up costing, so they probably give a better indication of how much breaches really cost, and their estimates tell us that it's really more like several million dollars per breach.
So the bottom line is that there's definitely some useful information in the 2011 ISUG Report on Data Security Management Challenges, but the cost of data breaches isn't part of this.