How Much Will a Security Breach Cost Your Company?How Much Will a Security Breach Cost Your Company?

The Davidson County Election Commission's inadequate security policies exposed 337,000 voters to potential cases of identity theft. The fallout has forced the agency to dip into its budget, created a lot of extra work, and sullied its reputation.

On Christmas Eve (ho, ho, ho), a thief used a rock to break into the election commission's office, which serves the city of Nashville, Tenn., and then walked off with two laptops containing voters' Social Security numbers as well as a router and a digital camera. Because none of the data on the computer was encrypted, the thief could easily have used the information to create false accounts.

Fortunately, a suspect was arrested and the laptops recovered. Not exactly a candidate for the FBI's Ten Most Wanted list, Robert Osbourne, 45, wounded himself as he made his way into the building. In the past, he had burglarized other locations in order to support his drug addiction and been caught. As a result of his previous offenses, his DNA was on file. In fact, he had not been out of jail long, having been released in October 2007 after serving a three-year sentence.

At this point, it appears that the devices were sold at face value, and no cases of identity theft took place. But recently hacking has evolved from a mischievous activity performed by adolescents to a financial boondoggle run by professional criminals, so the devices could have ended up in the hands of someone who understood their potential value. Theoretically, technology-savvy criminals could have harvested the personal information stored on them in order to perpetrate identity theft.

The Trouble With Security Policies in Smaller Businesses
The case highlights the gaping hole that many small and midsize businesses have in their security policies. Laptops are becoming more common, and executives use them for mission-critical applications. As employees carry the devices from place to place, the likelihood of loss or theft increases. AT&T, the Chicago Public Schools, Qualcomm, The Gap, and the U.S. Department of State are a few of the organizations whose notebooks have been stolen during the past few years, and their customers' personal data exposed to possible intrusion.

Despite these high-profile cases, many small and midsize businesses continue to do a mediocre job (unfortunately, at best, in many cases) of protecting individuals' confidential data. Whenever data is not encrypted, all a criminal has to do is turn on a computer and open up a file in order to access personal information.

Eventually, such slipshod procedures cost a business much more than the steps needed to protect sensitive information. The Davidson County Election Commission snafu increased its expenses. To determine if there were other security holes in its policy, the department had to undertake a comprehensive audit. In fact, the Mayor's Office directed Nashville General Services to conduct security audits at all Metro buildings. Also, municipal employees had to spend a lot of time investigating the incident and then trying to ascertain its implications. In addition, the election commission had to put in place procedures to notify its users of the break-in and try to help them avoid becoming victims of identity theft.

For the last item, the election commission partnered with Debix Identity Protection Network to provide affected citizens with a year of identity theft coverage for free. Ironically, the break-in turned out to be great advertising for Debix. The incident enabled the company to identify 337,000 potential customers with first-hand knowledge about the potential benefits of its service. To further entice them, the company is offering these users a second year of its service at a reduced rate: $9.50 versus its typical $99 annual charge.

Your Company's Reputation is at Stake
Last, the agency has earned a reputation of being a buffoon. Leaving Social Security numbers on laptops, which could be easily moved from location to location, without basic security checks in place is simply idiotic. While it is too late for the Davidson County Election Commission to rescue its reputation, it is not for your company. If laptops with sensitive information -- and how much corporate data is not sensitive? -- are anywhere in your organization, you need to make sure they are protected. Next time, it may not be a drug addict who walks off with the sensitive data. It may be someone who can do far more damage to your organization.

How many laptops are in your company? What do you to protect them? Are you surprised agencies like the Davidson County Election Commission do not guard their data more closely?

Paul Korzeniowski is a Sudbury, Mass.-based freelance writer who has been writing about networking issues for two decades. His work has appeared in Business 2.0, Entrepreneur, Investors Business Daily, Newsweek, and information.