The real cost of data loss is down to butterflies

Each day at work I get an update on the latest publicly
revealed data loss incidents, be it laptops, memory sticks or corporate hacks.
Unfortunately I become pretty immune to these daily reports and normally skim
read what has no doubt been a traumatic incident for those involved. Many data
loss incidents take months, if not years, to clear up; some will probably never
be concluded as our friends at HMRC are discovering. It could be a long time
before those discs turn up, if ever.

If (or more likely when) a bank loses customer data on an
unencrypted laptop or USB drive then a number of people will be directly
affected. The person responsible for losing the laptop will be disciplined, and
maybe fired. The IT function will need to explain why the data was not
encrypted and, more importantly, the individuals whose data has been lost may
have problems with identity theft.

The cost of such a data loss is now quantifiable, thanks to
work completed by the Ponemon Institute. More importantly we now have UK-specific numbers, gleaned from an anonymous survey of 21 UK businesses that
suffered a data loss in 2007. (The Ponemon Institute has run a similar survey
in the US for the past 3 years so we now have trending data. This is the first
survey using the same methodology in the UK). On average a data breach in the
UK costs £47 per record compromised, with financial services companies paying
£55 per record due to the higher expectations of privacy and security. The full
UK report is now available at http://www.pgp.com/downloads/research_reports/index.html

So at a micro level we have seen that data losses have an
impact. Most people who are not directly involved will call it a day and move
on to the next data breach that is no doubt coming around the corner.

But what about the macro level? Is there a bigger impact
from such data losses than the £47 per record?

The answer is yes.

Much as a butterfly may flap its wings in California and
cause a violent storm in Europe we can imagine a butterfly affect with data loss.
The recent loss of PCs in South America that contained details of a new oil
find off the coast of Brazil was luckily down to common theft. Imagine if it
was a targeted assault on the data by either a political or commercial enemy.
It is not too hard to imagine such a theft impacting the subsequent development
of the oil field which in turn may have an effect on global oil prices.

All from the theft of some PCs. Far fetched? I don’t think
so.

Industrial espionage is bigger business than it has ever
been. Politically motivated espionage is as vibrant as ever, and terrorist attacks on IT infrastructures are a huge threat not often discussed in
the public domain.

Maybe the time has come to stop the shrieking about
individual data loss incidents and focus more on the bigger picture. That way,
at least, we may get governments and organisations to take the matter
seriously.