In a recent survey of 83 corporate IT managers, 28 acknowledged having had to cope with a data breach, and half of those respondents reported significant related costs.
In its report entitled "Calculating the cost of a security breach," research firm Forrester says half of those polled cited changes to security and auditing processes as a major cost category.
In addition, 43% said the costs of customer notification and loss of business could be counted in the fall-out from a data breach, though only 25% feared lawsuits and civil penalties.
In its report, Forrester concludes that the costs of a data breach vary widely, from about US$90 to US$305 per customer record, depending whether the breach is "low-profile" or "high-profile" and the company in a non-regulated or highly regulated area, such as banking.
The Forrester report notes this is higher than findings made by the Ponemon Institute and others industry experts that typically cite costs associated with a data breach to be in the US$50 range per customer record to cover legal fees, notification costs, increased call center costs, marketing and public relations expenses.
In counting up costs to cope with a security breach involving sensitive data, Forrester reckons it costs US$50 just for the discovery, notification and response that brings in unexpected expenses associated legal counsel, call centres and mail notification.
Lost employee productivity would range from US$20 per customer record to US$30, while the "opportunity costs" in lost customers and difficulty in getting new ones would range from US$20 for a 'low-profile breach" in a non-regulated industry to US$100 for a "high-profile breach" in a regulated one.
Regulatory fines could also incur in regulated industries to the tune of US$25 to US$60 per customer record. Credit-card replacement costs or civil penalties cost easily add up to US$25, Forrester reckons.
Though it may seem hard to estimate a dollar value associated with a data breach, "focus on cost per record vs. overall costs," the Forrester report advises. The IT division should use the estimates simply as a starting point in interacting with the business side in estimating costs.