This Friday, 5:45pm - Your company's star financial analyst is on her way home and needs to drop by the grocery store to pick up dinner. On the passenger's seat is her laptop, freshly loaded with the customer database to help prepare a report for Monday.
fShe's in the store for 20 minutes and returns to find a window broken and her laptop gone. The cost to replace the laptop: $1,700 — the cost of losing the data: more than the analyst, your CEO, and the board of directors could ever imagine.
Sound familiar? Hopefully not, but variations on this scenario are becoming commonplace. The Privacy Rights Clearinghouse reports that since 2005 almost 150 million individuals' personally identifiable information has been compromised due to a data security breach. The breach of TJX Corporation's systems (parent of T.J. Maxx), resulting in the theft of 45 million credit card numbers and other personal details, shows that this trend continues to grow.
Before this incident, the reoccurrence of data security breaches and public response led over 30 states to enact legislation requiring individuals impacted by a breach to be personally notified. These requirements, media attention and customer concern can have an all too real impact on business today and tomorrow.
Counting the cost
So what are the real costs of a data security breach? For the second year, The Ponemon Institute teamed with PGP Corporation to research this issue. Based on data provided by 31 U.S. businesses that experienced an actual breach, the average breach cost was $4.8 million or $182 per exposed record, an increase of more than 30 percent from 2005.
A startling 35 percent of these breaches involved the loss or theft of a laptop computer or other device, and overall 70 percent were due to a mistake or malicious intent by an organization's own staff.
Anatomy of a breach
A data breach doesn't just involve the discovery of a missing tape or a stolen laptop, however. Research shows that the real cost of a breach extends well beyond the actual event and resulting customer notification. In fact, lost business due to a breach dwarfs all other costs, accounting for 54 percent of total breach costs.
How does a breach affect business so dramatically? As the result of being notified about a breach officially or learning of it through the media, customers may decide to end their relationship with the responsible company, increasing turnover and ultimately reducing revenue. Additionally, prospective customers may decide to take their business elsewhere, further reducing revenue and increasing customer acquisition and retention costs.
Surprisingly, the cost of notifying customers only accounts for 14 percent of reported costs. The least significant cost of a breach, the cost of actually detecting and investigating the breach, accounts for a mere six percent of total costs.
Customers speak — loudly
How could the cost of lost business be so high? The Ponemon Institute found that 19 percent of consumers notified of a data breach discontinued their relationship with the business and a further 40 percent considered leaving. This turnover not only wrecks the lifetime value of a customer equation, but clearly destroys brand equity. IT and finance aren't the only areas hurt in a breach; sales and marketing are probably the most damaged as the cost and effort of obtaining and retaining customers continues to increase.
Keeping data safe and users happy
Imagine telling the vice president of sales that his team can't take their laptops out of the office. Or telling your chief financial officer to stop sharing spreadsheets on file servers or in email. Or telling the chief executive officer that his habit of keeping work on a 1GB flash drive could become the firm's biggest embarrassment, potentially costing millions if it's lost or stolen.
Organizations are taking action to protect data while keeping their end users productive. 66 percent of U.S. IT organizations using encryption do so to mitigate the risk of a breach. In most cases, encryption provides safe harbor and customer notification requirements are waived if data was encrypted. This is leading businesses to investigate the increased use of encryption across the organization. Enterprise encryption solutions available today, such as full disk encryption, lock down all data on a system without encumbering users. These solutions will hopefully make counting the cost of a data breach unnecessary.
- Kevin Bocek is product marketing manager at PGP Corporation