RealTime IT News

Hefty Price Tag for Lost Laptops: Nearly $50,000

When workers lose their laptops at conferences and airports or in taxis, rental cars or hotels, the cost to their employer can be steep.

How steep? Think almost $50,000.

That's according to a new report by the Ponemon Institute, which looked at the costs to companies not just in terms of hardware, but also in lost data.

In its study, which was sponsored by Intel, Ponemon found that the average reported cost of a lost laptop came to $49,246.

While hardware costs ranged only from $913 to $2,500 among the 138 cases it examined, the total estimated expense -- after factoring in lost data -- ranged from $1,213 to $975,527.

Those figures might be even higher that companies are willing to admit, since they're based on reported losses.

"We had to build the model based on what was reported to us," said company chairman and founder Larry Ponemon, calling from the RSA conference. "It is unlikely in my experience that there are no other residual costs than replacement value."

Even if they're conservative, the figures are in keeping with other recent findings by Ponemon, which reported in earlier studies that in data lost in company breaches represents 80 percent of the breaches' total cost to the business. Where there's a loss of intellectual property (IP), the loss of IP represents 59 percent of the total cost.

Ponemon calculates the total cost of each stolen record in a breach by factoring in the loss of reputation, losses from future business, and a variety of additional costs.

In Ponemon's most expensive example of a missing laptop, each lost record was estimated to have cost its owner $225. With 6,200 records were stolen, the data's total price tag amounted to around $973,400 -- almost all of the $975,527 cost Ponemon recorded for the incident, with the remainder likely to be primarily related to hardware.

In addition to the cost of hardware and data, a number of additional factors add to the expense of recovering from a missing laptop: detection, forensics, lost productivity and legal, consulting or regulatory expenses.

For detection and forensics, the report assumes that an IT organization's best people are called in. It assumes they're worth 2.5 times their hourly wage to the organization, so that if the employee is paid $36 per hour, the cost per hour to the organization of deploying vital employees in incident response is $82 or $90. Similar calculations are involved in the cost of lost productivity.

The report did not break down the components of its cost estimates for legal, consulting and regulatory expenses, but Ponemon pointed out that those costs can occur over a period of several years, and the report covers losses over a 12 month period.

"Lawsuits take years," he said. "The FCC might issue a fine for data loss a couple of years after the breach."

Recommendations

To help defray the costs associated with lost laptops, the report recommended wide deployment of anti-theft and data protection solutions.

"An understanding of how costly it is to lose a laptop can be used to make the case for purchasing enterprise-wide solutions," Ponemon wrote in the study.

The report also recommended that laptops be encrypted as this reduces the average cost of a loss by almost $20,000. Ponemon explained that while encryption won't thwart all thieves, but it will deter many of them.

"It won't stop the super-brilliant cyber criminal ... but the average bad guy stops when they see encryption," he said. "It works 90 to 95 percent of the time, and that's based not just on work we've done but also on conversations with the U.S. Secret Service."

Page 2: Minimizing the damage