This one popped up and adds actual numbers to the debates on losses of data by companies. I can do no better than Chandler on this and will simply copy his snippets:
The first report is a survey of 14 organizations that lost confidential customer information and had a regulatory requirement to notify the affected individuals. The 14 organizations primarily hailed from the financial services arena but also included retailers, insurance companies, telecom firms, higher education and healthcare.To cope and recover from a single security breach cost on average $14 million per company per breach or $140 per lost customer record. The direct costs in incremental spending for outside legal counsel, increased call-center costs and related items alone were $5 million.
Chandler went to PGP and in a supreme irony, entered his personal details in order to get the actual reports:
Breaches included in the survey ranged from 1,500 records to 900,000 records from 11 different industry sectors. In general, the largest breaches occurred in financial services, data integration, and retail; the smallest were in higher education and health care. Information in this study covers the costs of almost 1.4 million customer records compromised.Among the study's key findings:
- Total costs to recover from a data breach averaged $14 million per company or $140 per lost customer record
- Direct costs for incremental, out-of-pocket, unbudgeted spending averaged $5 million per company or $50 per lost customer record for outside legal counsel, mail notification letters, calls to individual customers, increased call center costs, and discounted product offers
- Indirect costs for lost employee productivity averaged $1.5 million per company or $15 per customer record
- Opportunity costs covering loss of existing customers and increased difficulty in recruiting new customers averaged $7.5 million per company or $75 per lost customer record. Overall customer loss averaged 2.6% of all customers and ranged as high as 11%.
These cost estimates include recovery costs only and do not include the cost of putting in place technology and procedures to ensure such breaches do not occur in the future.
Those are hard numbers, not in the sense that they are fixed for you, but in the sense that they can not easily be ignored in NPV calculations. Now, if we were able to calculate the risk of this breach happening then we could simply multiple the two and get the expected loss. Which then could be compared and contrasted with our security expenditure!
Or, in simple terms, you might consider spending up to $140 per customer on security if you are 100% likely to lose the data, and your security is guaranteed to reduce that likelihood to zero. Leaves a lot of open territory, I know, but any numbers are better than no numbers.
Posted by iang at December 8, 2005 05:28 AM | TrackBackAnother key fact taken from the PGP link:
"23 million U.S. adults have received notification that their data was compromised or lost"
Question then is - who has not been notified? Is the notification to loss ratio 10%? 20%? I think we can all agree that it is going to be in the below 50% range.
If we assume that there are (say) 200 million adults in the US, and 100 million of those are data-rich, then that would give us a lower bound of 23%. Otherwise we run out of people to leak!
Posted by: Iang at December 8, 2005 06:05 AMReaders of this report should make careful note of Appendix A, in which the author points out that statistical inferences cannot be made here, because the sample (which he nonetheless calls 'representative') is not statistically valid.
The reported numbers do serve to describe the impact for the firms which decided to respond, however.
Posted by: Chris Walsh at December 8, 2005 10:46 AMThis sounds like a great way to measure the premium to charge for an insurance contract. Of course the results of such a contract would be to develope standards to avoid the risk while still maintaining the premium. So the cost for support and design of a security system is somewhere between the profit margin on the premium and the loss on the stolen records that have real economic loss involved. The dollar value is small relative to most policies but could be done if the companies adopted a standard and the standard bearers where the underwriters as well it might work. So a coop of large customer data sets could self insure and enforce the standards. Since the banking and financial industry is subject to these attacks because the rewards of stealing fungible assets are more rewarding that stealing toasters they should be the thrust of this standard. The top of the food chain as far as payments needs to be addressed or displaced.
The displacement of un-trusted entities that fail to protect the customer’s information is a critical advantage to be exploited by disruptive technological ventures. At the current time the post 9/11 world is focused on security from within the established and disreputable entities that have and continue to provide lip service protection for customers. They are backed by a battery of laws that are unenforceable in any real sense but occasional prosecution of the selective kind make the headlines. So there are no standards that’s why there is no insurance contract for the events. The companies go along as if this where un-avoidable and they suffered no reputational risk of monetary loss. So the world officially has shut its eyes to the rape of private information because it cannot see a way clear to avoid it without disrupting the established entities of which the regulators have a vested interest in. Fiat monetary shortfalls have failed to make the grade in the online environments where informational presence is required rather than physical. Hedge Funds exploit this by incorporating outside the domain of regulators yet have offices in Manhattan. The crisis arbitrage of the informational entity versus a world designed for the physical. When the informational entities organize they can and will over take the physical presence based laws and they are beginning to show a real effect. The physical law base was constructed from a body of common law whereby the long term trust of an entity within a community was transferred from that political sub-division to a national level. In the informational world only a few villages exist as is the case with the Hedge Funds they have been able to aggregate vast amounts of assets and power without the physical base of laws really affecting them. The online transactional world is the same community although perhaps not as well funded. By replicating the evolving standards of Hedge Funds entities that control information for non-physical entities can establish some means of controlling the losses. Since the established institutions that have provided the information have failed and continue to recognize the damage they are causing due to their sloppy standards the door have been opened for disruptive innovators to usurp the established institutional players. Of course there is the gap between legislation that still protects the franchise of the established institutions but that legislation was bought and paid for by the established entities and can be replicated to satisfy the disruptive entities once they have a bankroll. Washington is for sale 24/7 its just a question of the cost and a percentage of participation in the ongoing revenue stream. So the equation is not the losses but the opportunity provided and how long that will take to displace the established institutions, survive the transformation of the regulatory, and maximize the operational aspects to reduce cost. None of the processes really involve programming or logical thought they are marketing cost that result in an event. Back to the human engineering problem of changing minds to fill the treasure chest. The customer information is stolen because it has value and the value has is small and has not caused harm to the sloppy institution that allowed the theft. So people do not care because it cost so little to be robbed and they think is probably their fault to begin with. People are forgiving because the blame has been placed on their shoulders and they dare not start pointing monkeys out for fear they have one riding on their back as well. The institutions are now trapped in a deadly game of negative selling that they cannot win. So with diminished expectations and fear of being called an idiot the customer returns to the only game in town.
The strategy to displace these lazy bastards called customer information repositories is to use greed issue to every customer and merchant that signs up for a new monetary service a zero coupon debt redeemable in ten years. If you give them money they will come even if its not there right now. Place transactional levels of maintenance for the terms of the zero coupons accreted value and use the funds placed into the system to float the disruptive event of undoing the Fiat Currency and its reliance on the physical body of law. Trust is measurement of price since less people wish to hold US Treasuries the rate the US must pay goes up. The violation of trust is a measurement of the cost of change in the rate to borrower funds and in the case of stolen customer information the cost has been charged to the customer themselves rather than the facilitator of the theft and abuse the institutional repository this is a form of tyranny. There are no checks and balances for the repository since they have remained nameless in the press, bought off the regulatory entities, and mandated a monopoly on the use of currency and information.
The only way to fight a well financed army of tyranny is to obtain funding and cut their supply lines. The villages that have the ability to fight this have created the alternative to the fiat regime of currency transfer and implemented their own body of laws Hedge Funds are the emerging anarchist that have succeeded in escaping the insanity proposed as a solution for the abused and pillaged customer.