While the source is PGP, a vendor with a vested interest in people seeing privacy breaches, there is still some interesting research in this article on the Per-Incident costs of privacy breaches over at Network World while catching up on my reading. (Thanks to nCircle’s blog for the link)

The first report is a survey of 14 organizations that lost confidential customer information and had a regulatory requirement to notify the affected individuals. The 14 organizations primarily hailed from the financial services arena but also included retailers, insurance companies, telecom firms, higher education and healthcare.

To cope and recover from a single security breach cost on average $14 million per company per breach or $140 per lost customer record. The direct costs in incremental spending for outside legal counsel, increased call-center costs and related items alone were $5 million.

I bit the bullet and registered to download the actual studies. Here’s what that $14 million includes:

Breaches included in the survey ranged from 1,500 records to 900,000 records from 11 different industry sectors. In general, the largest breaches occurred in financial services, data integration, and retail; the smallest were in higher education and health care. Information in this study covers the costs of almost 1.4 million customer records compromised.

Among the study’s key findings:
• Total costs to recover from a data breach averaged $14 million per company or $140 per lost customer record
• Direct costs for incremental, out-of-pocket, unbudgeted spending averaged $5 million per company or $50 per lost customer record for outside legal counsel, mail notification letters, calls to individual customers, increased call center costs, and discounted product offers
• Indirect costs for lost employee productivity averaged $1.5 million per company or $15 per customer record
• Opportunity costs covering loss of existing customers and increased difficulty in recruiting new customers averaged $7.5 million per company or $75 per lost customer record. Overall customer loss averaged 2.6% of all customers and ranged as high as 11%.

These cost estimates include recovery costs only and do not include the cost of putting in place technology and procedures to ensure such breaches do not occur in the future.

Personally, I’d stop short of trying to claim any more than that $50/record of direct costs if I was using this to justify encrypting, destroying, or otherwise protecting data. Besides, unless you’re talking about more PII than the average personal address book, $50/record should produce a large enough number to get people’s attention and provides an easy-to-work-with number for ROM calculations.

One other interesting thing I noticed about this study. All three case studies were disclosure of credit card numbers, but none of them seemed to include the cost of re-issuing cards. That would mean that there was an unaccounted for externality here since there is a significant direct cost to the credit card issuer.

For some reason, $27/card pops into my head but I’m too lazy to check it right now. Even if that were the total cost of handling an incident, a range of $25-$50/record is still a pretty good figure to work with.