Scott & Scott, LLP Page 1

Business Impact of a Data BreachResearch Sponsored by Scott & Scott, LLP

Julie Machal-Fulks

May 23, 2007

Scott & Scott, LLP Page 2

Survey Topics• Are organizations prepared to respond to breaches and

what remedial actions do they consider the most important?

• Do organizations measure the cost related to breaches?• What causes data breaches?• How have breaches affected organizations’ strategies for

preventing breaches?• Are there differences in the way pre-breach and post-

breach organizations approach prevention and detection of data breaches?

Scott & Scott, LLP Page 3

The sampleof 702 IT security

practitioners

Distribution of respondents by U.S. geographic regions

22%

19%

17%

14%

12%

16%

Northeast Mid-Atlantic

Midwest Southeast

Southwest Pacfic

Sample response Freq. Pct%

Total sampling frame 11762 100.0%

Email invitations sent 11053 94.0%

Bounce back 897 7.6%

Total surveys received 780 6.6%

Rejected surveys 78 0.7%

Final sample 702 6.0%

Scott & Scott, LLP Page 4

85% of respondents’ companies experienced a breach or security

incident

Bar Chart 1Data breach statistics for the present sample

85%

81%

78%79%80%81%82%83%84%85%86%

Companies experiencing the loss of personalinformation

Companies required to notify breach victims

Scott & Scott, LLP Page 5

42% of data breaches were caused by missing devices such as laptop

computersBar Chart 2

Probable cause of the data breach event

4%

6%

6%

7%

10%

16%

42%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

Missing backup media

Malicious employees

Criminal activity

IT mishaps

Negligent third parties

Negligent employees

Missing devices

Scott & Scott, LLP Page 6

Are organizations failing to employ remedial measures to reduce the risk

of future breaches?Bar Chart 3

What organizations are not deploying after data breach

46%

46%

63%

63%

65%

65%

73%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Encryption solutions

Conducting training

Hiring outside counsel

Controlling system disposal

Identity & access management

Controlling endpoints

Event management tools

Scott & Scott, LLP Page 7

57% did not have an incident response plan in place when the

breach happened

Bar Chart 4Did you have an incident plan before the breach?

57%

77%

0%

20%

40%

60%

80%

100%

Did not have an incident response plan Did not engage outside legal counsel to draft orreview plan

Scott & Scott, LLP Page 8

Typical immediate response: prompt notification by letter

Bar Chart 5Immediate response to data breach

62%

47% 46%

22%

0%

10%

20%

30%

40%

50%

60%

70%

Prompt notification by letter Assessed harm to victims Offer credit monitoring services Prompt notification by telephone

Scott & Scott, LLP Page 9

81% of respondents have not calculated costs associated with

breaches

Bar Chart 6Cost included in analysis of data breach

28%

22% 21%17%

10% 10% 9%

0%

5%

10%

15%

20%

25%

30%

Cost to notifyvictims

Cost ofassistingvictims

Loss ofcustomers

P otentiallitigation

Cost to hireexperts

P otential fines Decline in sharevalue

Scott & Scott, LLP Page 10

Notification strategy: 37% notify everyone, regardless of potential

harm

Bar Chart 7Who needs to be notified?

37% 36%

14%

0%5%

10%15%20%25%30%35%40%

Notify everyone (over-report) Careful assessment beforenotifying

Notify only after absoluteconfirmation of harm

Scott & Scott, LLP Page 11

Majority of respondents do not believe that breach victims suffer

monetary damages

Bar Chart 8What percentage of breach victims experienced monetary damanges?

50%

20%

11%

0%

10%

20%

30%

40%

50%

60%

0% (no monetary damages) Betw een 1 to 2% Betw een 2 to 4%

Scott & Scott, LLP Page 12

Is management supportive of efforts to prevent data breaches?

Bar Chart 10Is senior management supportive?

80%

65%

0%

20%

40%

60%

80%

100%

Had a breach Did not have a breach

Scott & Scott, LLP Page 13

Breaches may impact spending on IT security

Bar Chart 9Percentage difference between companies that experienced a breach and

companies that did not experience a breach

54%

37% 37%

23%

54%

14%

27%

10%15%

9%

41%

2%

0%

10%

20%

30%

40%

50%

60%

Encryption Devices areproperlycleaned

Legal counsel Data leakprevention

Training andaw areness

Data inventory

Had breach Did not have breach

Scott & Scott, LLP Page 14

Breaches may change expectations about IT spending

How will IT security spending change in 2007?

40%

49%

11%

27%

53%

20%

0%

10%

20%

30%

40%

50%

60%

Increase No change Decrease

Had a breach Did not have a breach

Scott & Scott, LLP Page 15

Questions?

Robert J. Scott Julie Machal-FulksScott & Scott, LLP

2200 Ross Avenue, Suite 5350EDallas, Texas 75201

800-596-6176www.scottandscottllp.com