Yesterday I saw a presentation from a sales rep of PointSec at a local ISSA meeting. Aside from the fact that it was, I suspect, largely a straight copy of their standard sales deck, there were a few interesting points, the most interesting of which weren't really made in the presentation, but more made about the presentation. He talked a lot about data loss, data value, and the cost of data recovery. The interesting thing is that the usage of these very distinct terms was haphazard. Data loss, specifically the loss of data via equipment loss, was highlighted to emphasize frequency; "These things occur all the time!" Data value was highlighted to emphasize severity; "And they are very serious!" Finally, the cost of data recovery was presented as the usual 'infinite brand damage' metric; "And one loss could drive your company out of business!" It's a favorite of mine, incidentally.
There are several problems here. First, he never quite manages to connect the data loss to data compromise, i.e. the fraudulent use of stolen data. I'm not saying the connection doesn't exist, but that the focus on loss over compromise is misleading. Data compromise is a serious problem that seems underreported, probably because it's hard to measure. That doesn't mean it isn't important to measure. Secondly, data value isn't the same as cost of recovery, or at least it's not reported as such. Look at this recent incident in Alaska. They lost a $38 billion file, but the cost of recovery was closer to $200,000.
And last, but not least, there's the 'infinite brand damage' metric. Let's look at a few examples via a three point analysis. For these purposes, the 'date of incident' is the date it became public. Stock prices are at the close of the market around the same date in the appropriate month. I picked four relatively high profile incidents, but there are more.
TJX (1/17/2007)
Stock Price 3 months before incident (October 2006): 28.97
Stock Price today (March 2007): 26.46
Stock Price 6 months after incident: N/A
Ameriprise AMP (1/29/2006)
Stock Price 3 months before incident (October 2005): 37.10
Stock Price 3 months after incident (April 2006): 49.04
Stock Price 6 months after incident (July 2006): 44.54
Choicepoint CPS (2/15/2005)
Stock Price 3 months before incident (November 2004): 44.01
Stock Price 3 months after incident (May 2005): 37.16
Stock Price 6 months after incident (August 2005): 43.22
ADP (7/6/2006)
Stock Price 3 months before incident (April 2006): 46.78
Stock Price 3 months after incident (October 2006): 47.47
Stock Price 6 months after incident (January 2007): 48.76
Using stock price as an indicator, one can conclude that either the brand damage isn't very significant or these four companies worked very hard at recovery. Clearly, I can't measure the direct increase in money spent on brand recovery by each of these organizations, but also clear is that none of them were irreparably damaged by their respective incidents.
The thing is, brand damage is driven by public perception. The more data loss disclosures that occur, the more the public perceives them as normal and, in turn, the less likely becomes the risk of brand damage. This is why (appropriate) punitive damages are an important part of the regulatory environment. The public can only react in a significant way to outliers in the incident arena, and if data loss is normal, then the fear of public reaction is not a valid incentive.
*UPDATE*
With perfect, yet unplanned, timing: "Data from TJX Security Breach Fuels Fraud Scheme"
