One of the reasons why people do not sign up for data security programs like drive encryption software from AlertBoot cites cost as an issue. They claim that their IT budget is fixed. That encryption does not produce revenue. That they don't need encryption because they didn't lose any records last year (highly doubtful).
An analysis, however, may open some eyes, as well as raise some brows.
The figures come from The Ponemon Institute's annual surveys. The dollar figures you see above are totals, including costs for notifications, lost employee productivity, cost of lost business from angered customers, legal fees, etc. As far as I can tell, it doesn't include legal settlements or penalties.
So, depending on how many customers you have, you can expect an impact of about $197 x (number of customers in your database). The more customers you have, the higher the chances of approaching, and going beyond, this figure.
For example, if I lost the information for 10 customers, chances are the cost will be much less than $1970 since I don't need to set up a call center to deal with inquiries.
However, there is something in 2009 that companies have to take into consideration that they didn't back in 2007 or 2008. Massachusetts passed a new law that, beginning from May 2009, will start assessing civil penalties for data breaches involving unencrypted data. And if history is any guide, it means other states will start exploring civil penalties as well (these things just tend to spread once one state has taken the initiative).
Supposedly, the fine will be up to $5000 per violation (not sure whether "per violation" means per person involved or per law that is broken--everyone seems to have a different interpretation, and I can't contribute since I'm not a lawyer).
Can you imagine, though? Up to $5000 per customer record compromised? Even if the state decides to fine you 1/10th of the amount, that'll add more than double to your cost of data security breach, since it's separate from the other costs!
HDD encryption software is beginning to look cheap, I'd say.
In fact, when you consider that a company probably has more customers than computers, the odds are it makes sense to really begin looking into encryption products to secure sensitive data.
Related Articles:http://www.informationweek.com/news/security/showArticle.jhtml?articleID=199000222http://www.pgp.com/insight/newsroom/press_releases/2007/ponemon-us.htmlhttp://www.computerworld.com/pdfs/PGP_Annual_Study_PDF.pdfhttp://www.cio.com/article/print/466817
The US Department of Veteran Affairs has decided to settle a class-action suite that was filed in response