in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Data Breach Cost Averages 3.43 Million Across The Globe

I'm poring over the latest report released by The Ponemon Institute, and I'm wondering whether there's more to the story than meets the eye.  In addition to localized reports for the US, UK, Germany, France, and Australia, The Ponemon Institute has released a global report.  Among other things, it shows that companies that are more aggressive in protecting their data--such as by using drive encryption software like AlertBoot to protect the data on lost laptops--tend to have lower data breach costs.

The Findings

The report concludes that countries with data breach notification laws tend to have higher data breach-related costs.  Of the five countries, the US and Germany are the only nations that have data breach notification laws.

I've read that a similar law is coming to the UK soon, due to EU requirements, which implies there should be a similar one passed in France.  Australia is preparing to pass such as law as well, although it has yet to be announced when.

The above table essentially sums up the 2009 Annual Study: Global Cost of a Data Breach study.   Note how the US and Germany, the two countries with breach notification laws, have higher average costs associated with data breaches.

The "average cost per record" includes every possible cost: ex-post response; detection and escalation, such as hiring data forensic experts; lost business to customer turnover, due to the breach; etc.

 "Ex-post response" is defined as "activities to help victims of a breach communicate with the company to ask additional questions or obtain recommendations in order to minimize potential harm.  Redress activities also include ex-post response such as credit report monitoring or the reissuing of a new account or credit card."

It includes setting up and operating hot-lines and legal defense costs, but not the actual act of notifying customers; for example, by mailing letters about the incident.

While Germany had the highest ex-post cost, it's interesting to note that as a percentage of the overall cost, it trails France.  The US ranks bottom.  But, the US and Germany rank highest in terms of pure dollars.

I'm not sure what the correct interpretation ought to be.  Perhaps it just means that in countries with data breach notification laws, companies involved in an information security incident put more an effort at identifying what went wrong and notifying customers, and put less emphasis on offering post-notification services.

Or perhaps it means that, regardless of the country, the amount necessary for post-notification services tends to be about the same, and countries with breach notification rules have significant extra expenses related to getting in touch with those affected by a breach.

What About the Cost of Living and Other Factors?

The opinion that data breach laws lead to higher costs makes sense.  After all, without such a law, a company doesn't have to make an announcement.  No one's the wiser and the company can save all that money that would have been spent on mailing letters, fielding customer inquiries, defending against lawsuits, etc.

Whereas if you have a "make your breach public" rule, then you'd have all those extra expenses--and lost future opportunities because a number of customers don't want to do business with you.

Makes sense, right?  Except, I'm wondering whether that's true.  For example, did the analysis incorporate the cost of living in each country?  One dollar in the US is not necessarily its equivalent in the UK, regardless of what the exchange rate happens to be.

In other words, it's about purchasing power parity: does the same product cost the same in two different countries, and if not, which one is overvalued?  This ties directly to whether one dollar in the US equals one dollar in the UK.

Restated, if it costs a company US$10 to mail 100 letters in the US, can a UK company also mail those 100 letters for the UK pound equivalent of $10?  Or could it cost less?  If so, then the average cost could be lower regardless of whether there was a breach law or not.

Too Tall An Order

It would be nice to see such factors incorporated into the Ponemon reports.  However, I'll readily admit that it would be outside the scope of The Ponemon Institute's objectives.


Related Articles and Sites:
http://www.encryptionreports.com/
http://www.eweek.com/c/a/Security/Data-Breaches-Less-Costly-With-Strong-CISO-317469/
http://www.forbes.com/2010/04/27/breach-disclosure-data-technology-security-laws.html
http://www.pgp.com/insight/newsroom/press_releases/2009_annual_study_global_cost_of_data_breach.html

 
<Previous Next>

Data Encryption: NHS Worst UK Data Breach Offender

Data Encryption Software: Symantec Buys PGP and GuardianEdge Further Consolidating Data Security Industry

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.