Hearing news about yet another lost or stolen laptop and exposure of personal information is almost like having seen too many horror flicks. Shock has shifted to disbelief – plus numb outrage at the apparent inability of corporations and government to protect our private personal data.
Outrage is not the only thing that is mounting. Coupled with an almost weekly litany of new major breach announcements are the rising cash costs associated with data insecurity. Organizations must quickly learn to protect data on mobile devices, both to assuage customer concerns and to control fallout to the bottom line. By using the protective technology of encryption, organizations can derive an actual "return on investment" thanks to eliminating risks of lost or stolen data.
Avoiding Financial Risks of Information Loss
According to a chronology of data breaches maintained by the Privacy Rights Clearinghouse, personal information of more than 84 million Americans was exposed during the period of February 2005 through May 2006. The cited cause often was a lost or stolen laptop PC or other portable device.
In almost every instance, full disk encryption would have protected those data from exposure even though their "containers" slipped past a boundary of physical control. Encryption is the last resort of protection because it obscures digital files and makes them unreadable to unauthorized people.
The result of not using encryption is potential exposure of data. Exposure automatically generates an array of hard and soft dollar costs, some of which can be otherwise controlled or eliminated. In a typical mid-to-large sized organization, encryption can eliminate 90 percent or more of the annual recurring cost of risks associated with data exposure.
Types of Costs Caused by Data Exposure
There are four categories of potential costs incurred by organizations when computing equipment with corporate information is lost or stolen. Costs include replacement, recovery, impact and image. Some of these costs are straightforward, such as the price of a computer or software. Others vary by industry, pertinent regulations and associated penalties, and other market conditions.
This category pertains to the physical replacement costs of hardware and software. Lost equipment is common, and can include multiple devices if all are carried in a briefcase forgotten in some public location or stolen from a rental car. Encryption does not reduce replacement costs.
These are the costs of human labor to deal with administrative requirements, such as filing a police report and insurance claim. Other human costs include IT staff efforts to configure replacement gear, recover or reconstitute lost data, plus manual examination of data files, email and attachments to determine the extent of exposure. Some workflow may stop until a newly configured computer is available for use. Encryption eliminates most of the requirement for assessment so these costs are limited to the equipment, not a company's brand or intellectual property.
Failure to comply with regulations and laws about preserving confidentiality of personal identifiable data can generate "impact" costs. Examples include penalties prescribed by the Gramm-Leach-Bliley Act for the financial industry and the Health Insurance Portability and Accountability Act (HIPAA) for the healthcare industry.
Individual notification of incidents – even if exposed data is not actually exploited – is another costly and time consuming expense. Security breach notification laws now prevail in at least 22 states; a national bill is forthcoming. Ancillary costs include shifting customers to new accounts, paying for ongoing credit checks, and the added burden on customer support staff. Companies with a data breach may also lose customers and revenue as consumers switch to competitors. All of these impact costs can be avoided with encryption.
The value of image is "priceless" because it is difficult to precisely gauge how customers and the public will react to news that a company's data was lost or stolen. Reputation may suffer. In some cases, market capitalization of a public company has temporarily declined as investors sell its stock after hearing news of a data breach. Companies may also have trouble retaining existing customers or attracting new ones.
The image-related cost can be enormous even if exposure is caused by the loss of just one laptop. A large financial services organization told our company that loss of one unencrypted laptop resulted in a loss of more than six million dollars. Image costs like these can be avoided by using encryption.
Every organization should assess its exposure to data loss because despite best intentions, incidents of lost or stolen mobile computing equipment are bound to hit every year. By using encryption on those devices, organizations can minimize and even eliminate most of the costs associated with these incidents. This is demonstrable ROI with immense value to the well being and continuity of every business.
Peter Larsson is CEO of Pointsec Mobile Technologies.