Case Study: Calculating the Cost of Data Loss
Regulations require many industries to report data loss, especially for healthcare and financial services. If you want to track the latest reported incidents, a collection of incidents can be found at DataLossDB (www.datalossdb.com). The publicly known incidents tracked by the database can be used as an example of what it might cost you in the event of a data loss. As you can see in Figure 9-2, some recent examples of data breaches are listed, the most recent being Dean Health Systems at St. Mary’s Hospital (Madison, Wisconsin), where a doctor’s laptop with 3,288 patient records was stolen from his home. The Hospital now has to incur the costs of responding to the incident and determine the costs of the breach itself. Data loss can happen through any medium, and posting information to Facebook can be the same as losing patient data on a laptop—and have the same regulatory consequences, in this case, violating HIPAA Security Rule regulations.
Figure 9-2 Recent records stolen as listed by DataLossDB.com
Companies are spending enormous amounts of money responding to social media breaches. As you will see in Chapter 11, Dominos had to launch a multimillion dollar campaign to combat a negative attack on its brand in the social media sphere. Dell has launched an aggressive social media command center, training over 1,000 employees in social media usage in 2010 and building a data center focused on social media tracking in 2011.
One free tool that St. Mary’s Hospital can use is from Allied World, which created the Tech//404® Data Loss Cost calculator (http://www.tech-404.com/calculator.html) so organizations can calculate the financial impact of a data breach or identity theft data loss incident. This online calculator is free and automatically generates an average cost for expenses associated with data loss. Because the doctor’s laptop contained 3,288 records, the average cost, as shown in the calculator in Figure 9-3, is $546,703.
Determining what went wrong in this case is easy. If the hospital had invested in hard drive encryption technology such as PGP, they would not have to incur these costs according to the HIPAA Security Rule regulations. The cost of a license is less than $200 per laptop, which is a much better deal than incurring $546,703 in incident management expenses. The second problem we can infer is the business process around how data is used and stored. Should the laptop have contained patient information in the first place or should the doctor have been allowed to take the laptop home (if not his personal laptop)? Many healthcare organizations are moving to an online model for managing patient health information. If you can eliminate the need for local storage, you can eliminate some risk of data theft.
