Think a data security breach is unlikely to hit your firm? Think again. One of the greatest risks facing organizations today is the proliferation of portable devices -- laptops, PDAs, USB jump drives -- that often contain personal customer or employee data.
In fact, a recent survey of 500 corporate IT departments, conducted by the Ponemon Institute, found that 81 percent of respondents had experienced a lost or stolen laptop or portable storage device. And, says the institute, about 60 percent of PDAs and laptops contain unprotected sensitive or confidential information.
These data losses can be very costly. Let's look at some recent reports:
- A 2006 survey from Symantec Corp. found that the average laptop contains data worth approximately $972,000.
- Another 2006 survey, produced by the Federal Bureau of Investigation, estimated the average annual cost of computer security incidents at $67.2 billion.
- An earlier 2005 survey, from PGP Corp., reported that lost confidential customer information typically costs companies $14 million.
NOT JUST MONEY
But costs of lost or stolen data are not just monetary. They often include loss to business reputation and customer goodwill.
For example, PGP found that when companies notify customers that their data has been compromised, 19 percent terminate the relationship, 40 percent consider terminating the relationship and 27 percent of respondents express concern about the relationship.
Indeed, half of recovery costs after a data breach are attributable to loss of existing customers.
So what can you do to protect your firm?
You may be surprised, but protecting your data often involves some very simple, common-sense steps:
- Encryption: To protect sensitive information and reduce the need to report security breaches, be sure your users routinely encrypt all names, addresses, account numbers and other personal information.
- Passwords: Always protect information stored on the laptop with a secure password. To maximize safety, passwords should include a combination of numbers and upper- and lowercase letters.
- Remote security tools: Be sure that everyone in your organization is using remote security tools that help your firm find and deactivate drives in the event a portable device is lost or stolen.
Among the products available are MyLaptopGPS, by AIT Solutions and Inspice Trace and Inspice SmartProtec from Inspice.
- Backup, backup, backup: It goes without saying that it's absolutely essential to do backups. Be sure that all important data contained on the laptop is backed up. Establish and enforce protocols.
- Hardware: In addition to software security, use traditional hardware measures -- such as locks and cables. These security devices make theft more difficult and thereby discourage thieves from taking your machine.
- Hide your device: Never leave a device on your desk or any other open, visible place. When leaving a laptop in your office, make sure it is hidden and secured.
- Be inconspicuous: Always keep your laptop in an inconspicuous case. Flashy cases will expose your computer by attracting thieves' attention.
A simple, padded messenger bag can suffice as a protective container.
Your organization may want to consider some of the new policies offered by insurance providers that are specifically designed to assist with data breaches. These may help you defray the costs associated with investigating a breach to determine whether state laws require notification, as well as help pay for the costs associated with breach notification requirements.
The new policies often include coverage for the following claims:
- Failure of network security;
- Wrongful disclosure of private or confidential information;
- Failure to protect confidential or private information;
- Violations of federal, state or local privacy statutes.
Some corporate identity theft insurance policies also assist with the costs associated with defraying damage to the firm's reputation. Some also provide crisis management coverage and reimbursement for public relations expenses.
The coverage also may provide a defense in the event that a security breach results in a regulatory investigation or a civil lawsuit. For example, AIG's Corporate Identity Protection offers a product that covers administrative expenses resulting from a breach of personal information.
Like a traditional commercial policy, some security breach policies contain provisions that the insurance company will be required to pay for an attorney to defend the company in the event it experiences a data security breach.
Finally, look for policies that cover the costs associated with post-event services, like credit monitoring and identity theft education to the individuals affected by the security breach.