How do you calculate the cost of a data breach?
Do you know how much a data breach would cost you company? Do you want a quick estimate relevant to your company with no hidden assumptions, and based on real data from other companies and reports?
This is a transparent and quick way for estimating potential data breach costs. This 10-row table can be summed to get your total cost of a data breach, based on your company’s values. This table also includes recommended values, based on several data breach reports (see the resources cited at the end of this article). The recommended values can help anchor your estimates when you have no idea what the actual costs should be.
Feel free to play with these numbers for your company, but keep in mind that these are still estimates. The goal of this table is to provide something more sophisticated than the simple heuristic, but more transparent and customized than a calculator with hidden assumptions. Consider minimum and maximum values for each, or how to reduce the costs at each row. It might give you ideas of where to invest to prevent these costs!
Cost of a Data Breach
Reputation Harm: Unplanned loss of customers and business
5% drop in annual revenue
Cost to identify and contain: Engineering work
Reports estimate on average 200+ days to identify and contain; estimate how much time your team or contractors will spend exclusively on this instead of other projects.
Cost to contain: public relations and leadership work
Companies with incident response teams and DPOs typically see lower costs here.
GDPR regulation fines
Up to 4% of last year's turnover
According to a 2020 report by Sophos, ransomware attack remediation efforts on average cost US$732,500 when a ransom is not paid, and US $1,448,458 when a ransom is paid.
Will insurance company charge you more?
Prevention: New tech investment (upgrade/replace)
Depends on what you need.
Prevention: Cost to implement new processes or hires
Between cents (send emails) and hundreds of dollars (offering identity monitoring)
Cleanup: cost to notify victims
Skilled privacy & security engineer salaries are typically $100,000-200,000/year
Sources and Learn More
My recommended values are based on these reports:
- IBM Data Breach report: https://www.ibm.com/reports/data-breach
- IAPP Getting to the ROI on Privacy: https://iapp.org/resources/article/getting-to-the-roi-of-privacy/
- Ponemon.org does a large survey and finds costs are rising each year https://www.ponemon.org/userfiles/filemanager/qrylc104ssftu5sxcz32/
- Sophos, The State of Ransomware: https://www.sophos.com/en-us/content/state-of-ransomware