I’m still catching up on my blogroll, and caught this article over at Emergent Chaos, which also referenced this one by Thurston. Both articles discuss the infamous Ponemon study that claimed the average losses in a breach were $182 per record.

Here are a couple of things to keep in mind. That particular survey was sponsored by two data security vendors: PGP and Vontu. I like both companies, and they really do help reduce breaches, but never NEVER trust vendor-sponsored numbers. I’ve written surveys; it’s damn hard, and even harder to remove bias.

This survey focused on breaking down the costs to companies that suffered breaches. In the full response details (which I can’t release since I don’t think they’re public) the costs are broken down between “hard” costs like notification and cleanup, and “soft” costs like reputation damage. Even if we remove any potential bias from Ponemon, the companies themselves doing the reporting are self-biased. If they want more money for security, they’ll exaggerate costs. If they are covering their behinds, they reduce the number, and if they’re public and have to report in a 10-K, they’ll tend to guess high.

None of it matters. All these numbers are different odors from the same source.

The hard costs alone are pretty easy to measure, and in most cases are more than enough to spur investment. How much does it cost you to compile a list of victims, get their addresses, print envelopes, stuff them, mail them, and deal with complaint/question calls? In presentations I often say let’s call it $2, and we all know it’s more than that. As the other posts state, if you add in credit monitoring costs that’s another $10 per record (most companies don’t seem to enroll people in these anymore).

If you’re fighting your CFO, and have anything more than a few tens of thousands of records, $2 per record is all you should need to get their attention. One million customers = two million in losses, even without any fines or cleanup costs.

The one category I call total BS on is “reputation” damage. Study after study shows that consumers will always say they’ll switch brands/providers if their information is lost, but looking at the real numbers this almost never happens. Why? Because it’s like moving from trash to junk to garbage- consumers don’t really believe any company is materially better than any other one at security, so it doesn’t drive their behavior.