"The reality is that most breaches just aren’t of this magnitude," he said. "And so the median is more reflective of the overall costs."
In his study, reputation costs of loss of brand value were not included in the total, he said. "How would you measure loss of brand, anyhow?"
Another recent breach costs report, produced by the Ponemon Institute and IBM this summer, puts the average cost of a breach at $4 million, up from $3.79 million last year.
The average cost is a little lower than that of the Rand study because the mega-breaches were deliberately excluded from the sample, said Larry Ponemon, chairman and founder at Ponemon Institute.
"You want to have enough observations and right now there aren't enough to get a good model," he said.
Ponemon considers both the direct and indirect costs of a data breach. Direct costs include hiring forensic experts and victim identity protection services. Indirect costs include the time employees spend resolving the breach, but also the loss of goodwill and customer churn.
However, Ponemon doesn't consider all the indirect costs that Deloitte does, and also focuses specifically on lost data records such as credit card numbers and not on other types of losses.
Why the numbers matter
The breach cost estimates affect the cost-benefit calculation of companies looking at their security budgets.
"Firms lack incentives to invest in security as much as many people would like," said Rand's Romanosky.
Companies need to look at more than the immediate remediation costs and technology costs when considering the total impact of a breach, and should involve participants from throughout the organization when analyzing the risk.
"Breaches have an immediate cost related to incidence response and forensic but it is minimal compared to the long terms costs related to brand trust and organizational security restructuring costs," said Julien Bellanger, co-founder & CEO at Los Angeles-based Prevoty. "It seems that Verizon understands that and is pricing the long term cost of the Yahoo hack at what should be a wake-up call for enterprises underinvesting in security."
Sign up for CIO Asia eNewsletters.