Costs of data leakage: Vishal Gupta, CEO, Seclore Technologies

August 28, 2008

The costs of data leakage can span many areas and can have severe consequences. This may range from public embarrassment to financial loss, reduced stock equity, loss of competitive advantage or even criminal investigation and prosecution. Like in the case of Apple- where an employee revealed product information before it was released, the company's share price plummeted after the leak was revealed. The company can be forced to fire the employees involved, resulting in embarrassment, lost productivity and legal costs.

Data security practices tend to focus on the risks posed by a computer hacker, while overlooking the risks posed by a colleague in the next cubicle. The vast majority of employees may be trustworthy, but a moment of haste, anger, or greed may transform an employee into a serious threat to the company's data. Data Leakage is real and it starts on the inside. We often spend so much time building a wall around our enclaves that we do not consider risk internally. Unfortunately, real incidents are telling us we should look inward first and then outward. Leakage involves distribution methods, where data could be released accidentally or stolen intentionally.

When the action damages an image or reputation, the financial costs of data leakage are very hard to quantify. In more tangible matters, like IP loss, a damage assessment can probably be compiled. Consider the case of Acme Telepower, that had decided to shut its Indian Operations when an ex-employee stole and sold research data to a competitor. When the Law failed to act upon their complaint, the company had decided to shift its base to Australia. Besides affecting the lives of 1,100 employees, the company is also claiming a national loss of Rs 750/- crores. Such data breaches by employees result not only in financial losses, but also bring out the lack legal remedial measures available.

So, how much do Information Leaks really cost? One thing that has always been on our minds is the question about how much do information leaks actually cost. Recently an employee of LG leaked $1B of secrets to another Chinese manufacturer. While it might be very easy to figure out facts like whether the person actually worked for LG or actually leaked the information, it must be very difficult to figure out what is the value of the information ( $1B in this case ). One mechanism of valuing the damages of information leaks could be “cost plus” ie. all the investments made in R&D - To generate that information and put a little premium to it and there you get the possible damages. This is obviously flawed because no company would invest money in R&D to generate the Intellectual Property or to protect it if all it would get at the end would be the costs back.

Another mechanism of valuing the damages could be to look at the potential loss if this information is missing. This obviously gives rise to subjective numbers like the total market size for that end product as well as the potential loss in case of a leakage. Let's say a pharma company is working on the last of clinical trials for a drug and at that stage the complete research work is leaked to a competitor. Assuming the drug's potential market size is $10B (in profits) till the time it goes off patent and the competitor is as efficient as the principal in this case in launching the drug, it means that the company has potentially lost $5B. That sounds about right but is obviously full of too many subjective parameters like potential market size, efficiency and number of competitors etc which could easily make this $5B either $1B or $10B!!

The third mechanism would be to look at the possible costs of licensing this Intellectual Property from a third party instead of building it on one's own i.e. What is the price that the company would have to pay to a third party in case it wanted to license this Intellectual Property for its own use ? Again, we are thrown into subjective parameters unless there is an actual case.Overall, it strikes us a complex problem to even make a guess on and that sets us wondering how the folks at LG got around to declaring the $1B number.