What is the average cost of a data breach?

We've all read the statistics about the number of publicly-disclosed breaches and the number of public records that were compromised along the way. Think TJX, Heartland Payment Systems, the U.S. Department of Veteran's Affairs, and you are talking well over 100 million records alone. So how much does a data breach cost an organization? Good question as there are a lot of moving parts. You have to notify the users via regular mail, pay penalties and legal fees, cover customers with credit protection, develop and execute a PR "crisis mode" initiative, etc. Obviously this can run into some real dough but exactly how much are we talking? Based on many, many anecdotal conversations, ESG continues to estimate a cost of between $30 to $150 per record. Why the range? The majority of breaches are small and local in the hundreds of lost records. When your local hospital is breached, the clean-up costs are a lot less than when it happens to Citigroup. We've also seen a pattern of costs actually going down. Why? Unfortunately, data breaches are an all-too frequent event. Large organizations and outside experts have gained experience and are more efficient now than they were a few years ago. In my opinion, a range of $30 to $150 is about as close as it gets but some companies try to get a bit more precise. In doing some recent research, I came across a report from the Ponemon Institute which claimed that the cost of a breach was actually $204 in 2009, up from $202 in 2008 and $197 in 2007. This data was gathered through in-depth interviews with 45 organizations that had experienced a data breach. A press release declared that the "cost rose to $204 per compromised record in 2009." Now I hear that this research project is pretty thorough, but I have a few problems with this data and hyperbole: 1. The Ponemon data is based on organizations that experienced data breaches where 5,000 to 101,000 records were compromised. The number of organizations that fit this profile is a fraction of the number of breaches where dozens or hundreds of records are compromised. As I indicated, the cost per record here tends to be much less so we can't really judge the real cost of a data breach without considering this much larger population. 2. With a sample size of 45, the margin of error is over 14% in the Ponemon study. This means that there is no statistical difference between $204 (2009), $202 (2008), and $197 (2007) (Note: Even the $182 in 2006 is in the same ballpark). To paraphrase former President George H. W. Bush, declaring that the "cost rose to $204 per compromised record in 2009," amounts to "voodoo research." Data breaches are a big and yes, a costly problem but I contend that it is nearly impossible to measure the real true cost of a breach. Ponemon deserves credit for trying but we need to be careful about generalizing or hyping the results of small restricted research efforts that focus on a subset of the population. After all, security professionals are paid to assess risk and recommend solutions, not offer Chicken Little scenarios with hat in hand.