• United States



by Jaikumar Vijayan, Computerworld

Calculating the Cost of a Data Breach

Apr 12, 20073 mins
Data and Information SecurityData BreachROI and Metrics

Want to know just how much a data breach is likely to end up costing your company? Darwin Professional Underwriters may be able to help.

The Farmington, Conn.-based technology liability insurance company has released a free online calculator that it said allows businesses to estimate—with a fair degree of accuracy—their financial risk from data theft.

Darwin’s Data Loss Cost Calculator uses proprietary algorithms developed with security breach data from media reports and other industry resources, according to the company. Among them was Ponemon Institute’s 2006 security breach and cost-analysis survey of 31 companies that had suffered data breaches.

Basically, the calculator allows companies to get hard cost estimates in three major categories: internal investigation expenses, customer notification/crisis management costs, and regulatory and other compliance expenses. Companies input data in the respective fields in the calculator to get instant estimates for costs associated with breach-related activities such as customer notification, credit monitoring, crisis management consulting, state or federal fines, and attorney fees.

“When we talk with different risk managers and CIOs, the constant refrain we hear is, ‘Show me how much it costs when someone breaches our information,’ ” said Adam Sills, lead underwriter for Darwin’s technology and information liability initiatives. “There are different statistics from different sources” that have made it hard for companies to assess their financial risk, he said.

The online calculator is “our best guess, using the best information out there for how much this stuff costs,” he said. “These are the hard costs that you can quantify when you have a serious situation.”

The calculator does not include costs associated with any class-action or other lawsuits that might follow a data breach, he said. Nor does it look at the effect on stock prices or reputation, because such numbers can vary by incident and are much harder to generalize.

Such calculators can be pretty useful in helping companies arrive at a better understanding of the financial implications of a breach, said Pete Lindstrom, an analyst at Midvale, Utah-based Burton Group. “I’m a big fan of calculators,” he said. “It grounds security folks in a way that talking ephemerally about brand damage doesn’t.”

Although the numbers thrown out by Darwin’s calculator may not always be accurate for everyone all the time, they give IT managers “a way to think more concretely about the nature of the problem,” he said. “We need to collect information like this, even if they are broad estimates, to get smarter. This is as good a start as any.”

Avivah Litan, an analyst at Stamford, Conn.-based Gartner, said that such calculators “can give people a way to structure their thinking on the cost implications of a breach. I wouldn’t bet my house or my enterprise on these numbers. A lot of the costs are often exaggerated.”

Even so, as tools to get people thinking about the hard costs of security breaches, such calculators can at least offer worst-case estimates, she said.

-Jaikumar Vijayan, Computerworld