How can you predict the costs of a data breach for your company?

A common fear of privacy officers is a data breach, the unauthorized acquisition or processing of personal information that is maintained by an organization. The fear is enhanced by some IT security folks reminding us that “there are two types of companies, those that have been breached and those that don’t know they’ve been breached.” I don’t know any privacy officer that gets a warm and fuzzy feeling when hearing that.

Anticipating the cost of a data breach

When I discuss data breaches with my clients, the question of the impacts to their organization always comes up. We discuss costs associated with analyzing the breach, notifying impacted individuals, reputational damage, lost customers, identity theft protection, productivity impacts, and executive distraction as a start.

This time of year, you see various reports published discussing the nature and the associated costs of data breaches that occurred the previous year. The Ponemon Institute and Verizon Enterprise Solutions provide analyses that I tend to favor. These documents provide insight into what has happened in the past to a population of companies that meet a certain criteria in each study. However, the profile of the companies in these studies’ populations may not match yours. Therefore, they can provide some guidance, a ballpark figure if you will, on what a breach may cost, but it is not tailored for your specific needs.

St. Joesph’s University and the Analytics Cup

Dr. Ronald Klimberg, Professor of Decision & System Science at St. Joseph’s University in Philadelphia, holds a competition as the final project of his Advanced Analytics course each semester. The Analytics Cup breaks the class into teams with each team working on a project defined by a business.

In the fall of this year, my company, Privacy Ref, proposed a project to predict the cost of a data breach for a company. Two of the eight teams took up the challenge. Neither team had any background in privacy. Other projects in the semester’s competition involved analysis of donations to the university by alumni, production optimization for a brew pub, and ticket pricing for a professional soccer team.

The teams I worked with individually did their research to understand privacy. Privacy Ref provided materials and guidance throughout the project. Sam Pfeifle, Content Director at the International Association of Privacy Professionals, provided access to the organization’s resource center for the teams’ use. The teams also met with privacy officers from enterprise size organizations in retail, financial services, entertainment and health care.

In early December, the teams presented their project results to a team of judges, the students’ peers, the projects’ sponsors, and Dr. Klimberg. The two teams working on the predictive model took top honors.

A predictive model for the costs of a data breach

The guidelines for developing the model had one requirement, it must be “easy.” It had to be easy to use, easy to distribute and easy to understand the results.

Both teams took a similar approach in developing their models. Each team developed a survey to gather estimates of costs contributing to the overall cost of a data breach. Some of these costs were found to be dependent on the number of records lost in the breach (i.e. notification costs) while others were independent of the size of the breach (i.e. public relations).

A minimum, maximum and most likely estimate is asked for each item in the survey. Based on these responses, 1,000 trials are then run to determine the costs of the data breach using a triangular distribution. These results are averaged to provide a prediction for the cost of the scenario.

To meet the “easy” guideline, both teams created their models using Microsoft Excel. The difference between the two models were how the survey information was gathered and how the results were presented.

I am using the model developed by Michael Gannon, Samantha Melnick and Rebecca Rosati as a foundation for my clients to predict their data breach costs. Starting from the work the students have done, an organization can obtain an estimate or they may enhance the model to have a more finely tailored estimate of the cost of a data breach.

Getting the model

The model is available free of charge (though a donation to the St. Joseph’s University is preferred), on the Presentation & Papers page at the Privacy Ref website. Also available on that page is a presentation done by the students describing their model. (Please note: You will be asked to provide your contact information to access the model and/or the presentation.)

The students will be presenting their model at the International Association of Privacy Professionals Global Privacy Summit, April 18 through 20, in Washington, D.C.