Everyone knows that losing private data is bad. Now we know it's expensive, too.
Larry Ponemon was the founding partner of PricewaterhouseCoopers' risk-management privacy practice before striking out on his own. Today, as chairman of the Ponemon Institute, in Elk Rapids, Mich., he has conducted the first comprehensive studyfunded by PGP Corp.of the costs associated with losing corporate data.
CIO INSIGHT: Are we in the midst of some kind of data loss epidemic?
PONEMON: I don't think so. I think data breaches probably have been occurring for most of our lives. Companies have just not paid attention to the issue because there were no regulations that required organizations to inform victims. Before California's notification law, there was no appetite to report a breach.
If these laws had not been put into place would consumers still be living in oblivion?
For the most part, people are still pretty complacent about their privacy rights. They really don't seem to worry when they receive notice of a breach; they don't seem to do the basic blocking-and-tackling things, such as review their credit reports. So there's evidence to suggest that the majority of people still don't care.
I think that over time, too, people may find notifications so commonplacelike the Gramm-Leach-Bliley notices that no one readsthat they'll ignore the notices. I don't know how it's going to play out.
What was the most surprising thing you found from your research?
Companies tended to focus on their direct costs, like whether they should offer each victim a free security-monitoring tool worth, say, $20. But they really didn't focus on the possibility of abnormal churn. By that I mean, of those people who receive a data-breach notification, you can anticipate a certain percentage will get thoroughly ticked off and decide to move their business to another company.
So when we did the analysis, the biggest cost, the number-one category of greatest consequence, was people leaving an organization as a result of the breach.
For example, at one wireless telecom company the expected churn was somewhere between 0.9 to 1.1 percent. But their actual churn, after reporting the breach, was about 6,000 or 7,000 people, close to 11 percent. Now they didn't necessarily do the greatest job in reporting: They sugarcoated the message at first, until they learned that wasn't a good idea.
What we found is that companies with lower abnormal-churn rates actually spent more time being clear and concise with customers, explaining what happened and what data was compromised. They also provided customers with an opportunity to query the company through a toll-free number.
We also found that the company that provided a little monetary benefit, like a $10 gift certificate, seemed to actually get better results in terms of abnormal churn. I'm not sure if that's the greed factor, but people seemed to feel that something within the $10 to $20 range was more valuable than receiving a $20 credit-monitoring report.
Do you think this study will scare some companies into taking better care?
I spoke to one chief privacy officer the other day and asked her that same thing. She thinks that companies are relying on the hope that if enough companies report data breaches with these cheesy notices, then people will not really pay attention anymore.
But I don't think that's the case. I think it's going to wake up enough people who will then decide to do something. And when companies start to feel the pain, they're going to start executing better privacy practices.
How do the costs of losing data compare to the costs of protecting it?
The costs of protecting data may be very, very small for some thingslike training people on how to handle information with basic safeguards. But as you get into the more sophisticated solutions, it can be pretty expensive.
What can companies do to mitigate their financial losses, aside from not losing the data in the first place?
The number-one issue is that a lot of organizations need to be smarter about the data they collect about people and households. Most companies collect way too much information. Their general belief is that the more they can collect, the better. I think that many companies are starting to realize that just the ability to collect lots of data is not a good strategy. So they're developing an information strategy that says if we don't have it in the first place, then we don't have to worry about the consequences of having to disclose a breach, or about all of the other financial messes that we could find ourselves in. Plus it's a data hygiene question. Less data actually leads to greater performance.