How we calculate the cost of a data breach

To calculate the cost of a data breach, we use a costing methodology called activity-based costing (ABC). This methodology identifies activities and assigns a cost based on actual use. Companies participating in this benchmark research are asked to estimate the cost for all the activities necessary to resolving the data breach. Typical activities for the discovery of and the immediate response to the data breach include the following:

  • Conducting investigations and forensics to determine the root cause of the data breach
  • Determining the probable victims of the data breach
  • Organizing the incident response team
  • Conducting communication and public relations outreach
  • Preparing notice documents and other required disclosures to data breach victims and regulators
  • Implementing call center procedures and specialized training
The following are typical activities conducted in the aftermath of discovery:
  • Audit and consulting services
  • Legal services for defense
  • Legal services for compliance
  • Free or discounted services offered to victims of the breach
  • Identity protection services
  • Lost customer business based on calculating customer churn or turnover
  • Customer acquisition and loyalty program costs

Categorizing the costs

Once the company estimated a cost range for these activities, we categorized the costs as direct or indirect as defined below:

Direct cost – the direct expense outlay to accomplish a given activity.

Indirect cost – the amount of time, effort and other organizational resources allocated to data breach resolution, but not as a direct cash outlay.

Data collection methods

Data collection methods did not include actual accounting information, but instead relied upon numerical estimation based on the knowledge and experience of each participant. The benchmark instrument required individuals to rate direct cost estimates for each cost category by marking a range variable defined in the following number line format.

How research participants estimated data breach costs

To preserve confidentiality, organizations did not provide actual accounting information on breach costs. Instead, research participants estimated costs incurred by their organization using a number line. Participants were instructed to mark a number line in one spot between the lower and upper limits of a range for each data breach cost category.

LL
UL

The numerical value obtained from the number line rather than a point estimate for each presented cost category preserved confidentiality and ensured a higher response rate. The benchmark instrument also required practitioners to provide a second estimate for indirect and opportunity costs, separately.

To ensure a manageable size for the benchmarking process, we carefully limited items to only those cost activity centers that we considered crucial to data breach cost measurement. Based upon discussions with learned experts, the final set of items included a fixed set of cost activities. Upon collection of the benchmark information, each instrument was re-examined carefully for consistency and completeness.

For purposes of complete confidentiality, the benchmark instrument did not capture any company-specific information. Subject materials contained no tracking codes or other methods that could link responses to participating companies.

The scope of data breach cost items contained within our benchmark instrument was limited to known cost categories that applied to a broad set of business operations that handle personal information. We believed that a study focused on business process–and not data protection or privacy compliance activities–would yield better quality results.