How do you calculate the cost of a data breach?
Do you know how much a data breach would cost you company? Do you want a quick estimate relevant to your company with no hidden assumptions, and based on real data from other companies and reports?
This is a transparent and quick way for estimating potential data breach costs. This 10-row table can be summed to get your total cost of a data breach, based on your company’s values. This table also includes recommended values, based on several data breach reports (see the resources cited at the end of this article). The recommended values can help anchor your estimates when you have no idea what the actual costs should be.
Feel free to play with these numbers for your company, but keep in mind that these are still estimates. The goal of this table is to provide something more sophisticated than the simple heuristic, but more transparent and customized than a calculator with hidden assumptions. Consider minimum and maximum values for each, or how to reduce the costs at each row. It might give you ideas of where to invest to prevent these costs!
Cost of a Data Breach | Recommended Value | Your Business |
---|---|---|
Reputation Harm: Unplanned loss of customers and business | 5% drop in annual revenue | |
Cost to identify and contain: Engineering work | Reports estimate on average 200+ days to identify and contain; estimate how much time your team or contractors will spend exclusively on this instead of other projects. | |
Cost to contain: public relations and leadership work | Companies with incident response teams and DPOs typically see lower costs here. | |
GDPR regulation fines | Up to 4% of last year's turnover | |
Litigation costs | extremely variable | Cell |
Ransom costs | According to a 2020 report by Sophos, ransomware attack remediation efforts on average cost US$732,500 when a ransom is not paid, and US $1,448,458 when a ransom is paid. | Cell |
Insurance increase | Will insurance company charge you more? | Cell |
Prevention: New tech investment (upgrade/replace) | Depends on what you need. | Cell |
Prevention: Cost to implement new processes or hires | Between cents (send emails) and hundreds of dollars (offering identity monitoring) | Cell |
Cleanup: cost to notify victims | Skilled privacy & security engineer salaries are typically $100,000-200,000/year | Cell |
Sources and Learn More
If this table is too simple, you can find a really in-depth explanation of the costs of a data breach from Ryan McGeehan https://magoo.medium.com/ and http://scrty.io/
My recommended values are based on these reports:
- IBM Data Breach report: https://www.ibm.com/reports/data-breach
- IAPP Getting to the ROI on Privacy: https://iapp.org/resources/article/getting-to-the-roi-of-privacy/
- Ponemon.org does a large survey and finds costs are rising each year https://www.ponemon.org/userfiles/filemanager/qrylc104ssftu5sxcz32/
- Sophos, The State of Ransomware: https://www.sophos.com/en-us/content/state-of-ransomware