[fc-discuss] Financial Cryptography Update: How much will it cost you to lose your customer's data?

iang@iang.org iang@iang.org
Thu, 8 Dec 2005 10:31:26 +0000 (GMT) 

 Financial Cryptography Update: How much will it cost you to lose your customer's data? 

                           December 08, 2005


------------------------------------------------------------------------

https://www.financialcryptography.com/mt/archives/000605.html



------------------------------------------------------------------------

This one popped up and adds actual numbers to the debates on losses of
data by companies.  I can do no better than Chandler on this and will
simply copy his snippets:

http://thurston.halfcat.org/blog/?p=279
http://www.networkworld.com/weblogs/security/010409.html

=========8<===========8<========
     The first report is a survey of 14 organizations that lost
confidential customer information and had a regulatory requirement to
notify the affected individuals. The 14 organizations primarily hailed
from the financial services arena but also included retailers,
insurance companies, telecom firms, higher education and healthcare.

    To cope and recover from a single security breach cost on average
$14 million per company per breach or $140 per lost customer record.
The direct costs in incremental spending for outside legal counsel,
increased call-center costs and related items alone were $5 million.
===============>8=========>9====

Chandler went to PGP and in a supreme irony, entered his personal
details in order to get the actual reports:

http://www.pgp.com/library/ponemon_reg_direct.html
=========8<===========8<========
    Breaches included in the survey ranged from 1,500 records to
900,000 records from 11 different industry sectors. In general, the
largest breaches occurred in financial services, data integration, and
retail; the smallest were in higher education and health care.
Information in this study covers the costs of almost 1.4 million
customer records compromised.

    Among the study's key findings:
    * Total costs to recover from a data breach averaged $14 million
per company or $140 per lost customer record
    * Direct costs for incremental, out-of-pocket, unbudgeted spending
averaged $5 million per company or $50 per lost customer record for
outside legal counsel, mail notification letters, calls to individual
customers, increased call center costs, and discounted product offers
    * Indirect costs for lost employee productivity averaged $1.5
million per company or $15 per customer record
    * Opportunity costs covering loss of existing customers and
increased difficulty in recruiting new customers averaged $7.5 million
per company or $75 per lost customer record. Overall customer loss
averaged 2.6% of all customers and ranged as high as 11%.

    These cost estimates include recovery costs only and do not include
the cost of putting in place technology and procedures to ensure such
breaches do not occur in the future.
===============>8=========>9====

Those are hard numbers, not in the sense that they are fixed for you,
but in the sense that they can not easily be ignored in NPV
calculations.  Now, if we were able to calculate the risk of this
breach happening then we could simply multiple the two and get the
expected loss.	Which then could be compared and contrasted with our
security expenditure!

Or, in simple terms, you might consider spending up to $140 per
customer on security if you are 100% likely to lose the data, and your
security is guaranteed to reduce that likelihood to zero.  Leaves a lot
of open territory, I know, but any numbers are better than no numbers.

-- 
Powered by Movable Type
Version 2.64
http://www.movabletype.org/