A common fear of privacy officers is a data breach, the unauthorized acquisition or processing of personal information that is maintained by an organization. The fear is enhanced by some IT security folks reminding us that \u201cthere are two types of companies, those that have been breached and those that don\u2019t know they\u2019ve been breached.\u201d I don\u2019t know any privacy officer that gets a warm and fuzzy feeling when hearing that.Anticipating the cost of a data breachWhen I discuss data breaches with my clients, the question of the impacts to their organization always comes up. We discuss costs associated with analyzing the breach, notifying impacted individuals, reputational damage, lost customers, identity theft protection, productivity impacts, and executive distraction as a start.This time of year, you see various reports published discussing the nature and the associated costs of data breaches that occurred the previous year. The\u00a0Ponemon Institute\u00a0and Verizon Enterprise Solutions provide analyses that I tend to favor. These documents provide insight into what has happened in the past to a population of companies that meet a certain criteria in each study. However, the profile of the companies in these studies\u2019 populations may not match yours. Therefore, they can provide some guidance, a ballpark figure if you will, on what a breach may cost, but it is not tailored for your specific needs.St. Joesph\u2019s University and the Analytics CupDr. Ronald Klimberg, Professor of Decision & System Science at St. Joseph\u2019s University in Philadelphia, holds a competition as the final project of his Advanced Analytics course each semester. The Analytics Cup breaks the class into teams with each team working on a project defined by a business.In the fall of this year, my company, Privacy Ref, proposed a project to predict the cost of a data breach for a company. Two of the eight teams took up the challenge. Neither team had any background in privacy. Other projects in the semester\u2019s competition involved analysis of donations to the university by alumni, production optimization for a brew pub, and ticket pricing for a professional soccer team.The teams I worked with individually did their research to understand privacy. Privacy Ref provided materials and guidance throughout the project. Sam Pfeifle, Content Director at the International Association of Privacy Professionals, provided access to the organization\u2019s resource center for the teams\u2019 use. The teams also met with privacy officers from enterprise size organizations in retail, financial services, entertainment and health care.In early December, the teams presented their project results to a team of judges, the students\u2019 peers, the projects\u2019 sponsors, and Dr. Klimberg. The two teams working on the predictive model took top honors.A predictive model for the costs of a data breachThe guidelines for developing the model had one requirement, it must be \u201ceasy.\u201d It had to be easy to use, easy to distribute and easy to understand the results.Both teams took a similar approach in developing their models. Each team developed a survey to gather estimates of costs contributing to the overall cost of a data breach. Some of these costs were found to be dependent on the number of records lost in the breach (i.e. notification costs) while others were independent of the size of the breach (i.e. public relations).A minimum, maximum and most likely estimate is asked for each item in the survey. Based on these responses, 1,000 trials are then run to determine the costs of the data breach using a triangular distribution. These results are averaged to provide a prediction for the cost of the scenario.To meet the \u201ceasy\u201d guideline, both teams created their models using Microsoft Excel. The difference between the two models were how the survey information was gathered and how the results were presented.I am using the model developed by Michael Gannon, Samantha Melnick and Rebecca Rosati as a foundation for my clients to predict their data breach costs. Starting from the work the students have done, an organization can obtain an estimate or they may enhance the model to have a more finely tailored estimate of the cost of a data breach.Getting the modelThe model is available free of charge (though a donation to the St. Joseph\u2019s University is preferred), on the Presentation & Papers page at the Privacy Ref website. Also available on that page is a presentation done by the students describing their model. (Please note: You will be asked to provide your contact information to access the model and\/or the presentation.)The students will be presenting their model at the International Association of Privacy Professionals Global Privacy Summit, April 18 through 20, in Washington, D.C.