Stolen laptops, compromised databases, lost backup tapes, or mismanaged email-all can result in the loss of valuable customer information. Organizations that experience a data breach can suffer the loss of existing customer confidence, damage to their brand, and loss of future revenue from new customers that take their business elsewhere. Equally damaging are the actual costs associated with legal requirements to notify customers that their private, sensitive, and confidential information has been mishandled.

As of July 18, 2006, at least 34 states in the U.S. have passed laws requiring organizations and government agencies to notify customers, employees, and other affected individuals when a breach of protected personal information occurs due to human error, technology problems, or malicious acts. Regulations such as California Senate Bill 1386 apply to "any person or business that conducts business in California" even if they are located outside the U.S. In addition, there are currently more than a dozen regulations pending at the federal level in the U.S. Senate and House of Representatives.

Overall costs to recover from a data breach increased 30 percent between the 2005 and 2006 surveys. The average number of records lost declined, but the cost per record increased significantly.

Total per-incident costs including average direct, indirect, and opportunity costs:

• $182 per record or $4.8 million per company
• Company costs reported ranged from $226,000 to $22 million

-- Source: 2006 Annual Study: Cost of a Data Breach (see links at right)