One thing that’s really tweaked me over the years when evaluating data breaches is the complete lack of consistency in costs reporting. On one side we have reports and surveys coming up with “per record” costs, often without any transparency as to where the numbers came from. On the other side are those that try and look at lost share value, or directly reported losses from public companies in their financial statements, but I think we all know how inconsistent those numbers are as well.

Also, from what I can tell, in most of the “per record” surveys, the biggest chunk (by far) are fuzzy soft costs like “reputation damage”. Not that there aren’t any losses due to reputation damage, but I’ve never seen any sort of justified model that accurately measures those costs over time. Take TJX for example – they grew sales after their breach.

So here’s a modest proposal for how we could break out breach costs in a more consistent manner:

Per Incident (Hard Costs):

  1. Incident investigation
  2. Incident remediation/recovery
  3. PR/media relations costs
  4. Optional: Legal fees
  5. Optional: Compliance violation penalties
  6. Optional: Legal settlements

Per Record (Hard Costs):

  1. Notification costs (list creation, printing, postal fees).
  2. Optional: Customer response costs (help desk per-call costs).
  3. Optional: Customer protection costs (fraud alerts, credit monitoring).

Per Incident

(Soft Costs… e.g., not always directly attributable to the incident): Trending is key here – especially trends that predate the incident.

  1. Customer Churn (% increase over trailing 6 month rate): 1 week, 1 month, 6 months, 12 months, n months.
  2. Stock Hit (not sure of best metric here, maybe earnings per share): 1 week, 1 month, 6 months, 12 months, n months.
  3. Revenue Impact (compared to trailing 12 months): 1 week, 1 month, 6 months, 12 months, n months.

I tried to break them out into hard and soft costs (hard being directly tied to the incident, soft being polluted by other factors). Also, I recognize that not every organization can measure every category for every incident.

Not that I expect everyone to magically adopt this for standard reporting, but until we transition to a mechanism like this we don’t have any chance of really understanding breach costs.