• United States




How can you predict the costs of a data breach for your company?

Mar 06, 20174 mins
Data BreachPredictive AnalyticsPrivacy

Historical information is available, but predictive models have been rare. Students from St. Joseph's University in Philadelphia have helped fill this gap.

A common fear of privacy officers is a data breach, the unauthorized acquisition or processing of personal information that is maintained by an organization. The fear is enhanced by some IT security folks reminding us that “there are two types of companies, those that have been breached and those that don’t know they’ve been breached.” I don’t know any privacy officer that gets a warm and fuzzy feeling when hearing that.

Anticipating the cost of a data breach

When I discuss data breaches with my clients, the question of the impacts to their organization always comes up. We discuss costs associated with analyzing the breach, notifying impacted individuals, reputational damage, lost customers, identity theft protection, productivity impacts, and executive distraction as a start.

This time of year, you see various reports published discussing the nature and the associated costs of data breaches that occurred the previous year. The Ponemon Institute and Verizon Enterprise Solutions provide analyses that I tend to favor. These documents provide insight into what has happened in the past to a population of companies that meet a certain criteria in each study. However, the profile of the companies in these studies’ populations may not match yours. Therefore, they can provide some guidance, a ballpark figure if you will, on what a breach may cost, but it is not tailored for your specific needs.

St. Joesph’s University and the Analytics Cup

Dr. Ronald Klimberg, Professor of Decision & System Science at St. Joseph’s University in Philadelphia, holds a competition as the final project of his Advanced Analytics course each semester. The Analytics Cup breaks the class into teams with each team working on a project defined by a business.

In the fall of this year, my company, Privacy Ref, proposed a project to predict the cost of a data breach for a company. Two of the eight teams took up the challenge. Neither team had any background in privacy. Other projects in the semester’s competition involved analysis of donations to the university by alumni, production optimization for a brew pub, and ticket pricing for a professional soccer team.

The teams I worked with individually did their research to understand privacy. Privacy Ref provided materials and guidance throughout the project. Sam Pfeifle, Content Director at the International Association of Privacy Professionals, provided access to the organization’s resource center for the teams’ use. The teams also met with privacy officers from enterprise size organizations in retail, financial services, entertainment and health care.

In early December, the teams presented their project results to a team of judges, the students’ peers, the projects’ sponsors, and Dr. Klimberg. The two teams working on the predictive model took top honors.

A predictive model for the costs of a data breach

The guidelines for developing the model had one requirement, it must be “easy.” It had to be easy to use, easy to distribute and easy to understand the results.

Both teams took a similar approach in developing their models. Each team developed a survey to gather estimates of costs contributing to the overall cost of a data breach. Some of these costs were found to be dependent on the number of records lost in the breach (i.e. notification costs) while others were independent of the size of the breach (i.e. public relations).

A minimum, maximum and most likely estimate is asked for each item in the survey. Based on these responses, 1,000 trials are then run to determine the costs of the data breach using a triangular distribution. These results are averaged to provide a prediction for the cost of the scenario.

To meet the “easy” guideline, both teams created their models using Microsoft Excel. The difference between the two models were how the survey information was gathered and how the results were presented.

I am using the model developed by Michael Gannon, Samantha Melnick and Rebecca Rosati as a foundation for my clients to predict their data breach costs. Starting from the work the students have done, an organization can obtain an estimate or they may enhance the model to have a more finely tailored estimate of the cost of a data breach.

Getting the model

The model is available free of charge (though a donation to the St. Joseph’s University is preferred), on the Presentation & Papers page at the Privacy Ref website. Also available on that page is a presentation done by the students describing their model. (Please note: You will be asked to provide your contact information to access the model and/or the presentation.)

The students will be presenting their model at the International Association of Privacy Professionals Global Privacy Summit, April 18 through 20, in Washington, D.C.


Bob Siegel has extensive professional experience in the development of privacy policies and procedures, the definition of performance metrics to evaluate privacy maturity, and the evaluation of compliance. He has extensive experience with PCI DSS and Safe Harbor and has deep subject matter knowledge surrounding key laws and regulations regarding consumer privacy and information security.

Throughout his career Bob has worked with computer applications and business practices that guard personal information. In addition to developing these systems, he trained employees to use them properly and efficiently. As the collection of personal information has increased, he has developed new approaches to help his organizations protect their sensitive data (both electronic and paper-based).

Bob is a Certified Information Privacy Professional, awarded from the International Association of Privacy Professionals, with concentrations in US Law (CIPP/US), European Law (CIPP/E), and Canadian Law (CIPP/C). He is also a Certified Information Privacy Manager (CIPM) and a Certified Information Privacy Technologist (CIPT). He is a member of the IAPP faculty and has served on the Certification Advisory Board for its Certified Information Privacy Manager (CIPM) program as well as the Publications Advisory Board. He was also recently awarded as a “Fellow of Information Privacy” by the IAPP.

Most recently, Bob served as senior manager of Worldwide Privacy and Compliance for Staples, Inc., where his responsibilities included development, awareness, and compliance of global privacy-related policies and procedures for more than 60 business units in 26 countries.

A seasoned program management expert, Bob has a long record of accomplishments in business planning, information privacy, sales support, customer support, application development, and product management. He has helped executive teams convert strategic plans into programs with well defined, measurable outcomes. He also has created realistic program schedules and budgets, resolved critical path issues, managed risks and delivered results consistently on time and within budget.

Bob can be reached at

The opinions expressed in this blog are those of Bob Siegel and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.