Hefty Price Tag for Lost Laptops: Nearly $50,000 - Page 2

Page 2 of 2

Encryption can also save money by changing a company's obligations under the law.

"In the event that data is encrypted -- PGP is very good -- the law does not necessarily require a company to notify customers," Ponemon said. "Thus, they don't have to incur the large data breach costs," which includes the price of a loss of reputation.

Additionally, the report recommended backups -- even though laptops without backups appeared to cost companies less: $68,899 for backed up laptops versus $39,253 on average for those for which there was no backup.

The difference might be that laptops without backups might have contained valuable data but that the business could not confirm the loss, which Ponemon called the "ignorance is bliss hypothesis."

"We anticipated that having a backup would save time and reduce productivity loss," he told InternetNews.com. "What we found was that it did not work that way, because a company was better able to determine that there was data at risk."

In one case where there was a full backup, a consultant denied having any valuable data in a spreadsheet, claiming it contained only aggregate data. But when the company examined the backup of the file they noted that if you clicked beyond the first tab, the spreadsheet contained individual customer data and even social security numbers.

"It was a huge problem for the company," Ponemon said.

The report also recommended training and awareness programs to reduce the incidence of lost laptops and ensure that losses are reported in a timely manner.

"If a company discovers the loss in the same day, the average cost is $8,950. If it takes more than one week, the average cost rises significantly to approximately $115,849," Ponemon wrote in the study.

Ponemon said that there are several ways that an IT organization might not learn of a loss for several days. In some cases, the employee will try to track down the laptop themselves. In others, the supervisor might not report the loss or might not listen to the voice mail in which the employee reports the loss. In one case, he said, the organization's help desk failed to report a loss to their own IT department.

Training's importance was highlighted by an embarrassing revelation from the British government last week, when a branch of its National Health Service reported having lost an encrypted USB drive.

The data, containing the personal health records of prisoners, is assumed compromised because the password had been written on a note attached to the USB drive -- a clear violation of the agency's data security procedures.