Data breaches of significant size are constantly in the media. The most publicized recent event is probably the Target data breach that happened just before Christmas in 2013. But there are many other large ones. I just read a commentary in which the author described breaches to be more common than the common cold. That is probably not quite correct yet, but I can understand his viewpoint. Just four days ago, another large breach was made public. 4,5000,000 Social Security Numbers together with their holders names, addresses and phone numbers were stolen from Community Health Systems (CHS). On their website you can find out that "Community Health Systems, Inc. is one of the nation’s leading operators of general acute care hospitals. The organization’s affiliates own, operate or lease 206 hospitals in 29 states with approximately 31,100 licensed beds." If you have been to any of their facilities in the last five years, you are affected - not just probably affected but most certainly affected.
The cost of a security breach to a company is surprisingly difficult to measure. There is the immediate cost. You have to clean up the data. You have to remove viruses and other malicious code that the intruders left behind. You might have to struggle with downtime while you are restoring your database from a pre-incident backup.
Then you have to respond to and cooperate with the investigations of the government. If your data is protected under the HIPAA of PCI laws, this is going to happen. In other cases, a law enforcement investigation still might happen, depending on a few different factors.
If the HIPAA or PCI laws were touched, you can expect a fine. Fines for example for credit card data breaches start at USD 100,000 and go up from there.
CHS' data was protected under the HIPAA law, even though no clinical data was stolen. On the day after the incident, the company announced that they would be paying for identity theft protection for everybody affected. That is, for 4,500,000 people. Identity theft protection runs at around USD 20 a month. You can assume that someone buying that service in bulk will get a discount. On the other hand, insurance prices are generally based on risk, and there is an extremely high risk for these people. In fact, as no payment and no clinical information is part of the stolen records, identity theft is the only thing that the thieves can do with the newly acquired "treasure".
So let us assume for simplicity that CHS will have to pay only 10% of the shelf price. That is still a total of USD 9,000,000. And this is not a onetime investment, this charge will show up in CHS' accounts every month going forward. They are probably going to have to pay this for one year at least. That means we are looking at a total of just over USD 100,000,000. If it comes to a class action lawsuit this might be extended indefinitely.
Those costs are all directly visible in the books. Target announced about 6 month after their event that they so far had paid about USD 150,000,000 in those visible expenses. However, there is a hidden component to the costs of a data breach. If you are announcing a large breach (and believe me, not announcing it will make things a lot worse) there is an immediate impact in customer loyalty and trust. Target reported about 50% less revenue in the last quarter of 2013 compared to the same timeframe the year before.
And those numbers have not yet recovered. The hidden cost of that breach is still going up. NY times cites John Kindervag, the vice president of Forrester Research with "I don’t see how they’re getting out of this for under a billion" USD. That includes those hidden costs over time as well as the visible costs. In the case of Target the visible costs for example include the payments to the credit card payment networks that since, every time one of the affected or likely affected cards is involved in a fraud, happily ask Target to pay for the damage.
According to a study done last year by the security service provider Symantec, the cost of a breach is USD 188.
This number is an average, so your individual results might vary. However, unless you are dealing with a breach of extremely many or extremely few records (even for a single stolen credit card you might end up having to pay that USD 100,000 fine), you actual cost will probably be close to this average.
I would like you to think about how many customers you have. 1000? 5000? Now multiply that number by USD 188. Can you afford to lose USD 188,000 or even USD 940,000 right now?
If not, now is the time to act and tighten your database security.