The appalling circumstances surrounding the loss of the HMRC data disks has been well documented in the seething press and blogsphere over the past few days, but what is the real cost of a data breach, in plain old monetary terms?

Understanding the details of any data breach is difficult. Historically these breaches may be shrouded in secrecy as the offending organisation tries to bury its bad news or keep it a private matter away from customer's eyes. This strategy was blown out the water with the first data breach notification requirements enacted by the US state of California in 2003 compelling organisations or government agencies to ‘fess up if they have lost personal information belonging to employees, customers or other individuals. This breach can be as a result of a technical malfunction, human error or malicious acts and applied to any business or organisation that "conducts business in California". To date 35 forward looking states in the US have enacted similar legislation.

The good news for organisations is that there may be circumstances when a data breach is not technically a data breach, and therefore a notification does not need to happen.

Specifically;

• If data has been encrypted beyond 128-bit
• The breached data is not considered "protected"
• The breach was stopped before the data was unlawfully acquired
• Special circumstances apply (i.e. national security concerns)

Since January 2005 the Privacy Rights Clearing House in the US has identified more than 215 million records of US residents that have been exposed to security breaches.

A recently published update report from the respected Ponemon Institute, sponsored by PGP Corporation and Vontu, (details here) lays out in some detail the costs associated with typical data breaches. The value of this report is huge, as the data it uses has been collected from 35 organisations that have been through the pain of a data loss episode, and are therefore well placed to cite the real costs and implications to their businesses. The breaches analysed ranged from 4,000 to 125,000 records across 15 different industry sectors.

This is the third annual survey from the Ponemon Institute covering this topic so we can now start to undertake some trend analysis.

The total cost of a breach rose to an average $197 per record, up 8% on 2006 and 43% on 2005. The average cost of a breach was $6.3 million. The cost of associated lost business increased by more than 30% and averaged at $128 per record compromised.

A UK specific version of this report is due out early next year, and it will be interesting to compare the costs of UK breaches vs. US breaches. For example, are legal costs less in the UK?

No matter what the individual monetary cost of a breach is, the reality is that it causes no end of trouble to the individual that has been exposed, as millions of subjected to the incompetence of HMRC are finding out. The costs in angst, time and effort of this breach is something that can't be measured in pure monetary terms.