Researchers Struggle to Determine True Cost of Data Breaches

Depending on the estimate, the average data breach can cost a company $7 million or $150 million. Why are data breach costs so difficult to estimate?

Data Breach Cost 2

In May, tucked away in its quarterly filing to the Securities and Exchange Commission, retail giant Target updated its running total of the cost of its 2013 holiday season breach.

The damages so far: $291 million. Those losses eventually may reach $370 million, according to the company's estimates.

While the retail giant may have outdone its peers with the bill for its breach, it is hardly alone. U.K. mobile service provider TalkTalk attributed more than $80 million in losses to a breach that garnered information on 157,000 customers. Following its breach in 2014, Home Depot tallied at least $161 million in costs from the loss of 40 million payment-card accounts and more than 50 million e-mail addresses, the company claimed in March.

Yet, other companies have no idea how much damage their breaches have done. In February 2015, for example, hackers stole more than 80 million records from health insurer Anthem. More than a year later, the company cannot put a number to its damages.

"While a loss from these matters is reasonably possible, we cannot reasonably estimate a range of possible losses," the company stated in its latest quarterly SEC filing, listing a variety of unknowns: its ongoing investigation, the early stage at which legal proceedings progress, unknown damages and uncertainty in the number of lawsuits that will be filed.

Anthem's uncertainty may not be an outlier. Determining the cost of a breach still is an unsettled science. Most often, analysts look at a limited set of costs, such as investigating the breach, notifying customers, offering protection services, complying with regulations, public relations, attorneys' fees and cyber-security improvements.

Yet, in a report on the hidden costs of cyber-crime, business services firm Deloitte & Touche argued that the damages caused by incidents go beyond the commonly cited figures. Costs that typically are not counted include increases to insurance premiums, costs of operational disruptions, lost customers, lost contract revenue, increased cost to raise debt, loss of intellectual property and the loss of brand value.

"The big 'ah-ha' is not that these factors are rocket science, but in many cases, these are the types of things that CFOs (chief financial officers) look at every day and, for whatever reason, we have not been including these factors," Emily Mossburg, a resilient practice leader for Deloitte Advisory Cyber Risk Services, told eWEEK. "There is such a technical lens put on cyber-risk and cyber-attacks that the business impact was not really part of the conversation."

With these factors included, the costs of cyber-crime could be much higher.

In one scenario included it its report involving a healthcare firm, Deloitte estimated that the hidden factors could account for more than 95 percent of the actual cost of a breach.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...