Hippocratic Security

Leaks of sensitive customer information and other corporate data are costing companies in the United States substantially more in related financial and business losses in 2006, according to a new study published by the Ponemon Institute.

The demands of the global economy and the value of free information flow are encouraging countries to resolve legal differences regarding privacy and agree on common elements of data protection.

The European Union (EU) has now passed the General Data Protection Regulation (GDPR) which is enforcable after May 2018, it strengthens and unifies data protection for individuals within the EU, whilst addressing the export of personal data outside the EU. Failing to comply with GDPR could result in fines between 10M and 20M euros or between 2% and 4% of world-wide turnover for the affending organization depending on the rule borken.

As the management of information becomes increasingly important to global commerce, it is likely that many industrialized countries will insist on minimum common privacy standards.

Further more on the findings of the Ponemon Data Breach Study, information losses cost U.S. companies an average of $182 per compromised record in 2006, compared to an average loss of $138 per record in 2005, for an increase of about 31 percent.

The report, which is based on interviews held with 56 individual companies known to have experienced a data loss in the last year, maintains that roughly $128 of the 2006 figure is related to indirect fallout from information leaks, such as higher-than-normal customer turnover.

Other associated costs spurred by data mishandlings or thefts were an average price tag of $660,000 per company in expenses related to notifying customers, business partners and regulators about data leaks.

Ponemon contends that each company surveyed sacrificed roughly $2.5 million in lost business, based on their incidents.

To arrive at the figure, researchers combined costs from legal, investigative and administrative expenses with information related to affected companies' stock performance and customer defections, among other indicators.

Each company interviewed has parted with an average of $4.7 million in payouts and lost business in total, related to the incidents.

Companies in the study paid almost $300,000 on average to investigate their data leaks and spent just over $1.24 million on average for other efforts aimed at responding to records losses, such as setting up customer support hotlines or offering credit monitoring services to help protect against related fraud.

The price tag for each of the data loss overhead categories, including detection, notification, lost business and associated expenses, rose noticeably for 2006 compared to 2005.

The greatest leap was measured in lost business, which cost companies an average of $22 per record more in 2006 than it did in 2005. Firms lost an average of $98 in business per record this year, compared to $75 per record in 2005.

The average financial losses and overhead expenses related to data leakage incidents increased in direct relation to the number of records lost by an individual company, according to the research.

Total costs for each cited records loss studied in the report ranged from less than $1 million to more than $22 million.

"The burden companies must bear as a result of a data breach are significant, making a strong case for more strategic investments in preventative measures such as encryption and data loss prevention," said Dr. Larry Ponemon, chairman of Ponemon Institute, which is based in Elk Rapids, Mich.

"Tough laws and intense public scrutiny mean the consequences of poor security are steep—and growing steeper for companies entrusted with managing stores of consumer data."

In charting the most common sources of data leaks, researchers found that lost or stolen laptops remain the top culprit, accounting for 45 percent of all the incidents studied.

Records lost by third party-business partners or outsourcing companies represented the second most popular type of event, representing 29 percent of all the reported leaks.

Misplaced or stolen backup files, such as those stored on magnetic tapes, accounted for 26 percent of the incidents, while the much-publicized usage of malware programs that steal data were reported in only 10 percent of the losses.

Many countries have responded to these challenges by enacting laws that limit the processing and disclosure of personal information. Nevertheless, privacy breaches and identity theft continue to increase due to weak or ineffective enforcement of these data protection laws as well as discrepancies and conflicts in legal protections.

Enforcement problems stem from: the administrative costs of implementing privacy regulations, the expense of acquiring new technology and reconfiguring applications to impose automated controls, and the inability of existing information systems to enforce fine-grained disclosure policies reliably and efficiently.

At the same time, varying constitutional standards and cultural attitudes toward privacy have resulted in conflicting data protection laws among different countries, posing impediments to the free flow of information in the global economy.