For companies involved, data breaches harm more than a corporate image. They impact the bottom line.
According to research from the Ponemon Institute, a research firm focusing on privacy and data protection practices, data breaches cost companies $182 per record lost. The Privacy Rights Clearinghouse counts more than 100 million records lost to data breaches since February 2005. An FBI survey pegged losses due to data breaches at $67.2 billion in 2006.
And it's not just companies handling personal data, such as Social Security numbers or medical information, bearing the costs. According to Ponemon, 81 percent of the companies it surveyed reported annually losing one or more laptops containing confidential data. Each laptop contains data worth around $972,000, according to a 2006 Symantec (Quote) survey.
"People are running scared with their hair on fire," said Troy Allen, a risk consultant and CEO of security firm Kroll's Fraud Solutions unit. That sense of alarm has created an unregulated industry offering consumers and companies ways to "prevent" data breaches.
"You can't stop identity theft. Period," Allen said. No matter what policies are in place, laptops will walk off with data. And fraud alerts, the ubiquitous answer to data breaches have become meaningless, he added.
Indeed, the rash in stolen laptops led Kroll to label 2006 "The Year of the Data Breach." Plenty of online auctions exist where identities are bought and sold, where, eBay style, the sellers get reviews. He said clean identities can go for as much as $40 a pop.
When Pennsylvania's Geisinger Health Systems learned personal data of some of its patients might be exposed as a result of a laptop theft, it offered ID theft protection from American Insurance Group (AIG). Begun in 2006, the policy covers businesses, providing up to $25 million in coverage for companies facing costs, including legal, regulatory and other. AIG's policies provide form letters helping ID theft victims contact creditors, even covering lost wages due to time off due to recovering a stolen identity.
With identity theft and data breaches a costly reality, what can companies do to protect data? The most common response - simple passwords - is rarely enough, say experts.
"Password protection only is very weak," Yankee Group's Sal Capizzi said. Securing mobile data is a three-prong process. Capizzi recommended authentication, encryption and automated policies. It is not enough to have policies in place. Boeing had a policy requiring data downloaded be encrypted, but an employee skipped encryption. The result: a laptop stolen containing employee's personal data. To avoid the human element, security policies must be automated, according to Capizzi.
The new year will see greater focus on corporate and employee education regarding preventing data breaches. Allen predicts firms will also restrict or ban downloading data to CD or USB flash drives. "Employers will begin insisting that more information exchange takes place via secure online transfer," Allen said in a statement.
Kroll is advising data minimization, a concept counter to the prevailing belief that customer information is an advantage. "Information is a liability," Allen said.
New data minimization involves three steps. Don't require or maintain information you don't absolutely need. Minimize the number of locations the information is stored and purge the data once it's no longer needed.
Just as ego-satisfying virus writing evolved to for-profit criminal behavior, so will data breaches. Identity theft is now linked to organized crime, drug financing and illegal immigration, according to Kroll.