upgrades post breach, liability suits regarding personal information often, loss of revenue etc

They pay people to find out how it happened. They pay people to find out who did it and where they’re from. They pay people to find out why they did it. They pay people to find out when it happened. They pay people to find out what was affected. Meanwhile, they also pay for security changes and upgrades. While all that is going on, they also pay for lawyers and publicists for damage control. Then there’s the fines and fees, which are eventually followed by lawsuits.

The other issue adding to costs is employees/executives that may get fired, and they go to court to punch the company more with documentation they warned the right people, and those right people ignored/dismissed their concerns that lead to the data breach.

Having a data breach sets off a string of events that immediately has financial impacts.

Data and security teams go into overdrive and forensic investigations are granted all the resources at a company’s disposal. Storage, hardware, and software licenses for those forensics are very expensive. Security goes a little crazy locking things down as a response, which essentially slows down productivity for the entire company.

Operations teams are grilled and will be part of that forensics investigation and they’ll likely take the brunt of the penalties if they can’t prove they did everything they could to mitigate the breach. All policies and procedures are looked at with a microscope by auditors (usually hired from outside).

Legal teams are also set on alert and are meeting up with regulators, auditors, and internal teams to identify the repercussions and discuss mitigation and penalties.

Customer service is on alert and extra resources are allocated on training and how to inform customers who might contact them of the breach. Just about EVERYTHING is now recorded (if it wasn’t previously) and will be open for discovery for upcoming lawsuits.

The entire company will be re-trained on security best practices, regardless of where the breach occurred.

Directors and executives will be discussing internally how to downplay the situation with very carefully worded memos and missives People (sometimes even those responsible) will be thrown under the bus and there will be plenty of blame to go around.

Bottom line is that once people start paying close attention to all the details, tons of money is spent investigating what went down, how to prevent it in the future, and settling lawsuits that rise out of it.

Digital forensics incident response guy here, for example if we are investigating a breach and it involves patient records, in the United States there can be $1,000 or more fine per record that was compromised. I recently worked an investigation where a medical clinic upgraded their patient management software to a different program. The vendor didn’t tell them that their database conversion was done by low bidder outsource to India. About a year and a half later an internet investigator found the records for sale online and figured out who the clinic was and contacted them, it didn’t take long to figure out that the vendor had shipped their database overseas for conversion without telling them and it got sold out the back door of the outsource conversion company. This was not a large medical facility but they had about 10,000 patient records. So of course out the gate they were looking at a potential $10 million fine.

Cost breaks down into four quadrants:

1. Fixing the breach that exists
2. Upgrading hardware / software to prevent it in the future
3. Regulatory fines
4. Reputational damage / loss of business

Bad guys break into homes and businesses.

Some bad guys like to trash the joint.

Some bad guys like to hide your stuff.

Some bad guys like to trash the joint *and* hide your stuff.

The bigger your house (or company), the longer it takes for you to find out how much of your stuff the bad guys hid and how much of your stuff they just trashed.

Sometimes you have spare copies of your stuff; sometimes you don’t.

Things you don’t have spare copies of, you’ve gotta go buy (or make) again.

And, sometimes the bad guys do so much damage no one wants to come to your place anymore for fear that the bad guys will come back.

Because a CEO has to put their attention to it for 5 mins so the labour cost goes through the roof

1) you need to fix the problem
2) you need to publicly announce the problem
3) you need to publicly contact the affected people
4) you lose customers because they can no longer trust you with their data
5) you lose investors because of the lost customer base

Customer information that is valuable are things like credit card information, social security information, name, date of birth, address. Credit card information can be used to make fake charges on your account. Things like social security information can be used for pure identity theft. Impersonating you, filing claims for fake medical procedures, or making multiple credit cards in your name.

The “fix” for these things is to offer some sort of credit card monitoring service for a few years.

fixing the original data breach isn’t necessarily a big deal, although it can be. It may involve encryption best practices, or alternately changing the way private data is handled. For example, Chase, a payment processor allows their clients to encrypt customer data without ever seeing it on their servers. Instead they get a token which can be used for transactions but is useless for anyone else or any other purpose.

losing customers is a huge issue. Company valuation will often include things like “good will” which are assigned a monetary value and figures into stock price. A breach of trust means not only that customers lose faith in the company but investors also. This causes stock price to drop.

Companies used to hide things like this when they could. Laws were passed however to protect consumers. you should know when your data has been stolen so you can protect yourself.

TLDR: data breaches cost so much bc victim orgs aren’t prepared and haven’t invested appropriately

For a small org, it is approx $500k to get started. That breaks out to:
$135k for IR team (300hrs)
$250k for legal to talk to 50 AGs offices
$115k for IT support

Legal will likely end up at $2M or more, not including any litigation
IR services could double or triple easily
IT support could reasonably grow to $1M

None of these costs include:
Forensic tools
Emergency hardware or software to get back running
Ransomware payment or services to pay ransomware
Crisis management services
PR and communication services
Notification services
Hardware and software upgrades
Outside support services
Attribution services (if required)

The shorter answer is that data breaches cost so much bc of the amount of work required to stop and clean them up and the hourly rates or the service providers that clean up data breaches.

I have more than 20yrs in this space.