How Much is Your Sensitive Data Costing You? Here’s What CFOs Need to Know.

Originally published by TokenEx here.

Written by Anni Burchfiel, Content Marketing Specialist, TokenEx.

For many, sensitive data management seems like an inconsequential topic when compared to other business considerations. How can businesses prioritize sensitive data security when a factor like “risk” seems incalculable compared to many of the immediate and concrete concerns leaders face?

While this may be a common perception, the costs associated with securing sensitive data are a real and quantifiable concern; one that could be costing your business more than you realize.

Sensitive data not only leaves companies liable to costly data breaches, but managing sensitive data incurs large security, compliance, and labor costs. Thankfully, with the proper technology, these costs can be reduced, or even eliminated.

What is the Cost of Sensitive Data?

How much is your sensitive data really costing you? This answer will vary on the amount, and type, of sensitive data you handle. For example, certain types of sensitive data, like cardholder information, are more valuable to hackers and more tightly regulated. This drives up the cost of maintaining cardholder data.

Overall, the cost of sensitive data comes down to three major factors: The cost of risk, the cost of compliance, and the cost of data management.

The Cost of Risk

According to research from IBM and the Ponemon Institute, the average global cost of a data breach was $4.24 million in 2021, or about $161 per record. That’s a conservative estimate, too. The average cost per breach in the United States was more than double that, at $9.05 million. Additionally, breaches within the healthcare industry were incredibly expensive at $9.23 million per occurrence, according to the same study.

The risk of sensitive personal data breaches may seem like an inevitability, but they don’t have to be. In the next section, we’ll discuss a tool that can protect sensitive data and eliminate this risk. But first, let’s examine another cost:

The Cost of Compliance

In order to reduce risk for both companies and consumers, sensitive data is often highly regulated. However, obtaining and maintaining compliance with industry standards can itself be a costly task. Take PCI compliance as an example. PCI DSS sets security standards for cardholder data and requires yearly assessments to ensure that businesses protect cardholder data correctly.

The cost of PCI compliance varies widely based on the size of the company. Small businesses may only spend $100 on a Self- Assessment Questionnaire, while larger businesses may spend around $40,000 for an online audit.

Another large cost is remediation to meet PCI standards, which can cost $100 to $10,000 for small businesses, or $10,000 to $500,000 for large businesses. Additional costs, like training, vulnerability scans, and penetration testing also come with additional costs. If you’re curious about the cost of PCI compliance for your business, check out our PCI compliance cost calculator.

PCI compliance is one of the biggest compliance costs for those who handle cardholder data. However, every kind of sensitive data comes with regulations and the cost of obtaining compliance. For example:

• Handling PII (personally identifiable information) is highly regulated by regulations like the EU’s GDPR (General Data Protection Act) and the CCPA (California Consumer Privacy Act). Meeting these regulations with pseudonymization tools can cause a large, and costly, headache.
• NACHA compliance is guided by an ACH compliance manual. The cost of the manual ($60-$180) may not seem too much up front, but the real cost comes from internal changes needed to maintain compliance.
• HIPAA Compliance can be as costly, or more costly, than PCI Compliance based on the gaps found in a HIPAA compliance assessment. Just these initial assessments can cost around $10,000.

Large companies inevitably create large amounts of sensitive data. To cut down on compliance costs, removing as much of this data from the scope of compliance as possible is the key.

We’ll look at our recommended scope-reducing tool in a moment, but there’s one more cost to consider:

The Cost of Data Management

The internal structures that store your sensitive data, and the labor spent managing them, also come with their own cost. The security and structure of your data storage may be managed by one individual or a whole team. Either way, time spent to protect sensitive data is time that could be spent elsewhere.

Adding all these costs together may lead to a sum much higher than initially expected. Or maybe this cost is expected and has felt like a frustrating inevitability. Thankfully, these costs are not as inevitable as they may seem.

Sensitive data should be secure, but the level of security needed often demands a large check. Between the risk of potential losses and the concrete cost of system management and compliance standardization, sensitive data comes with a large price tag that continues to grow right alongside your company.

The great news is that these costs are preventable. By implementing proper data protection measures, you can not only minimize the likelihood of a data breach but also reduce the costs of data management.

How to Reduce Risk to Reduce Cost

So, what is the most effective data protection measure? If you’re looking to eliminate risk and cut sensitive data costs, tokenization is the best tool for you. Tokenization avoids compliance scope and prevents data breaches by eliminating the need for your company to handle your sensitive data at all.

If you aren’t familiar with this technology, here’s a quick explanation:

What is Tokenization?

Tokenization is the process of exchanging sensitive data for nonsensitive placeholders called tokens. These tokens can retain portions of the original data, such as the first four and last six digits of a credit card number, so they can continue to be used without incurring the risk and compliance obligations associated with handling sensitive data in its raw form. As a result, organizations can preserve the value and utility of their sensitive data while keeping it safe and remaining compliant.

How does Tokenization Eliminate Sensitive Data Exposure?

Unlike encrypted data, tokenized data is undecipherable, irreversible, and does not require traditional key management. Because there is no mathematical relationship between the token and its original number, there is no key to return the tokens to their original form.

So, even if your systems are breached, if your data is tokenized, no sensitive data will be exposed. This mitigates the potential impact of a breach, which can greatly reduce risk and costs.

How does Tokenization Cut Compliance Cost?

Because tokenization removes sensitive data from your environment, you’re no longer directly responsible for it—or the costs associated with storing it internally. Removing data from your internal systems will remove those sstems from the scope of compliance, which makes compliance easier and more affordable.

Does Tokenization Cut Other Costs?

Tokenization also cuts the labor and infrastructure costs of storing data internally and maintaining the systems that house it. Tokenization will also cut the cost of undergoing security audits and assessments to ensure that data is properly protected.

Tokenization removes the cost of sensitive data by removing the data from your internal systems and leaving behind tokens to support the data’s utility. Data protection isn’t just a way to reduce costs, though. It can also be a driver of revenue generation when implemented properly.

Can Tokenization also Drive Revenue?

Tokenization not only cuts costs, but the reduction of risk can also drive revenue in some cases. Let’s take payment tokenization as an example:

In the payment industry, risk can result in increased interchange fees, declines, or chargebacks because of fraud. Minimizing or eliminating that risk, then, can enhance authorization rates, lower interchange fees, and reduce declines and chargebacks.

Additionally, payment providers can even give you greater control over your data with tokenization. This allows you to add value to your business and obtain greater ownership of the systems and processes where your data is used.

When it comes to cutting costs and creating opportunities to generate revenue, data protection might not be the first thing that comes to mind. However, technologies that increase both security and business utility—such as tokenization—can make a positive impact on cost reduction and revenue generation.

The cost of sensitive data is real. So is the power of tokenization.