In the calculation of data breach, there is use of a costing methodology called activity-based costing. This kind of methodology identifies activities and assigns a cost according to actual use. Companies participating in this benchmark research are asked to estimate the cost for all the activities they engage into resolve the data breach.
Typical activities for discovery and the immediate response to the data breach are very important and should be followed to the latter to ensure the data breach is properly handled. Such activities include the following:
- Conducting investigations and forensics to determine the root cause of data breach
- Determining the probable victims of data breach
- Organizing the incident response team
- Conducting communication and public relations outreach
- Preparing notice documents and other required disclosures to data breach victims and regulators
- Implementing call center procedures and specializing training
The following are the typical activities conducted in the aftermath of discovering the data breach to ensure the recovery from the data breach. They include:
- Audit and consulting services
- Legal services for defense
- Legal services for compliance
- Free or discounted to victims of the data breach
- Identity protection services
- Lost customer business based on calculating customer churn or turnover
- Customer acquisition and loyalty program costs.
Once the company estimates a cost range for these activities, we categorize the cost as direct, indirect and opportunity as defined below:
- Direct cost – the direct expense outlay to accomplish a given activity
- Indirect cost – the amount of the time, effort and other organizational resources spent, but not as direct cash outlay.
- Opportunity cost – the cost resulting from lost business opportunities as a consequence of negative reputation effects after the breach has been reported to victims (and publicly revealed to the media)
The study also looks at the core process-related activities that drive a range of expenditures associated with an organization’s data breach detection, response, containment and remediation. The four cost centers are:
- Detection or discovery: activities that enable a company to reasonably detect the breach of personal data either at risk or in motion.
- Escalation: Activities necessary to report the breach of protected information to appropriate personnel within a specified time period.
- Notification: Activities that enable the company to notify data subjects with a letter, outbound telephone call, e-mail or general notice that personal information was lost or stolen.
- Post data breach: Activities to help victims of a breach communicate with the company to ask additional questions or obtain recommendations in order to minimize potential harms. Post data breach activities also include credit report monitoring or the reissuing of a new account or credit card.
In addition to the above process-related activities, most companies experience opportunity costs associated with the breach incident, which results from diminished trust or confidence by present and future customers. Accordingly, our institute’s research shows that the negative publicity associated with a data breach incident causes reputation effects that may result in abnormal turnover or churn rates as well as a diminished rate for new customer acquisitions.
To extrapolate these opportunity costs, we use a cost estimation method that relies on the “lifetime value” of an average customer as defined from each participating organization.
- Turnover of existing customers: the estimated number of customers who will most likely terminate their relationship as a result of the breach incident. The incremental loss is abnormal turnover attributable to the breach incident. This number is annual percentage, which is based on estimates provided by management during the benchmark interview process.
- Diminished customer acquisition: the estimated number of target customers who will not have a relationship with the organization as a consequence of the breach. The number is provided as an annual percentage.
We acknowledge that the loss of non-customer data, such as employee records, may not impact an organization’s churn or turnover. In these cases, we could expect the business cost category to be lower when data breaches do not involve customer or customer data (including payment transaction information).