The Costs of Data Leakage

Yesterday I took part in an excellent Symantec event in London on Data Leakage. This is a very hot topic and one that seems to be getting scarier by the day, with regular media reports of incidents with high financial and reputation impact. Things have certainly changed from the heady dotcom days when availability was all the rage, and confidentiality was seen by many as a relic from the past. Encryption of data at rest was rarely encountered (though we did it at Royal Mail to protect our customer’s credit card details). But regulatory compliance and high-profile incidents have since transformed the security landscape and confidentially is back with a vengeance and rising to the top of the security agenda.

I’ve been pointing out for some time that the costs of security incidents are both understated and rising. Just look at some of the recent costs associated with data breaches. Nationwide was hit by a fine of almost £1million, arising from the loss of a single laptop. And that’s on top of all the operational costs and reputation damage. TJ Maxx have already reported a fourth-quarter charge of $5 million to cover the costs of investigation and remedial work from an incident in which details of more than 45 million credit cards were captured by hackers exploiting security weaknesses in their infrastructure. Many pundits expect the cost to go much, much higher. Most of this speculation arises from recent research by analysts and institutes, such as the Ponemon Institute, which indicates that the cost of data breaches is now well in excess of $100 per compromised record, suggesting that the overall consequential costs of the TJ Maxx incident might run into billion of dollars.

Of course all of this is speculative because we can’t know, measure or separate out all the current and future costs of an incident. But there are a lot of direct and consequential costs arising from data breaches, including for example the costs of investigations, remedial work, lost customers, loss of brand value, additional regulatory demands, fines, lawsuits, PR costs, and the costs of re-issuing credit cards. Not to mention the overall impact on e-Business from customers switching to cash payments. But one thing is clear. The risks and impact will continue to rise until organisations achieve much higher levels of security, including tighter platform and network security, better staff awareness and more aggressive auditing and monitoring of operational processes.