It's Not Easy to Determine Costs of Data Breach
Determining costs of a data breach is a complicated, but important, exercise. It may help convince executives to increase security spending.
If there's anything positive to come out of the catastrophic breach of Sony Picture Entertainment's network last year, it's that the case helps illustrate the true cost of a major security incident. That's important because security infrastructure is expensive, and beyond doing the minimum to satisfy regulatory compliance procedures, expenditure can sometimes be hard to justify on economic grounds alone.
Cutting security budgets brings immediate cost savings, while expenditure on security may mean that uncertain costs associated with possible breaches can be avoided. Knowing how much a breach might cost is therefore important in order to know how much it's worth spending on security. It's clearly not worth spending $10 million to avoid a breach that is likely to cost $10 million if it ever happens, but spending $10 million to significantly reduce the risk of a breach that would cost $100 million could be a sensible investment that no CEO would turn down.
A realistic figure is also needed before you can get data breach insurance but, as we shall see, data breach insurance is unlikely to cover the full cost of a security breach.
Data Breach Costs: A Starting Point
As a starting point, the cost of a breach is the sum of a number of different factors. When it comes to the theft of customer records, the Ponemon Institute includes the costs of engaging forensic experts, outsourcing hotline support, notifying customers, providing free credit monitoring subscriptions for affected customers, and in-house investigations and communication.
In all, the Ponemon Institute's 2014 Cost of Data Breach Study found that breaches by U.S. companies costs an average of $195 per record lost, or around $5.85 million in total.
But what the Sony breach has shown is that the true cost of a breach can be far higher than these Ponemon figures. That's because - unlike in the Target breach in 2013 - far more can be lost than just customer records.
For example, the terabytes of data that were stolen from Sony reportedly contained numerous files containing login names and passwords for various accounts. If that's the case, then every Sony staff member will have to change their login credentials and every server will have to be re-keyed - an enormous task which brings security risks of its own.
In all, the direct costs such as rebuilding computer systems, hiring those forensic experts and so on could cost Sony as much as $83 million, according to analysts at Macquarie Research.
That really is just the start. Sony suffered indirect costs such as those related to the loss of confidential business information, the costs of rebuilding servers and authentication infrastructure, and the costs of lost business during the actual attack. Sony reportedly had to halt production of several films while it was under attack as it was unable to process payments.
Lawsuits and Reputation
The real damage is likely to come from more nebulous and intangible costs like loss of reputation, and the costs due to unstructured data like emails being leaked.
Costs due to loss of reputation are difficult to measure so it is easy to gloss over it, but it shouldn't be underestimated. Loss of reputation can mean lost customers and diminished acquisition of new customers, and it can also make the cost of doing future business higher if certain partners or suppliers are unwilling to continue working with you.
In Sony's case there have been embarrassing revelations in emails about what Sony executives think of Angela Jolie, Adam Sandler and other movie stars and writers. Some of these may reconsider working for Sony, or demand higher fees for continuing to work there.
There have also been unexpected revelations about the levels of compensation given to male and female employees, which could lead to legal action. Already, four lawsuits have been filed by former employees who claim their personal information was not adequately secured.
If legal actions succeed or simply drag on, costs associated with loss of reputation will continue to mount rapidly. "If you look at liability and the cost of lawsuits, this always turns out to be the most expensive part of a breach," said Jim Lewis, a security expert and director of the Strategic Technologies Program at the Washington-DC based Center for Strategic and International Studies.
Despite these estimates, Sony chief executive Kazuo Hirai said at CES in Las Vegas that the breach won't impact the company's financial results this year. "We are still reviewing the effects of the cyber-attack, he said. "However, I do not see it as something that will cause a material upheaval on Sony Pictures business operations, basically, in terms of results for the current fiscal year."
But Alex Fidgen, commercial director at information security consultancy MWR InfoSecurity, disagrees. "As CEO, Kazuo Hirai is in the best position to judge whether the financial results for this year will be unaffected by the recent security breach. However, it is more likely that the non-tangible effects of the breach could impact against the next year's financial result via the loss of consumer confidence, and increased defensive spending overhead," he said in an interview with SCMagazineUK.com
It's clear that establishing the cost of a possible data breach is hard. The cost of losing structured data like customer credit card details is fairly well understood. But as Sony's experience has shown, the cost of losing unstructured data like emails - and the costs of resulting legal action, loss of reputation and loss of competitive advantage - can easily be underestimated.
Paul Rubens has been covering enterprise technology for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.