I. Introduction
Since February 2005, the identities of approximately 93 million people have been exposed because of data leaks.1 Ponemon Institute conducted a recent survey of almost 500 corporate information technology departments regarding the security risks associated with portable devices, such as laptops, personal data assistants (PDAs) and USB memory sticks. Ponemon reported that 81 percent of respondents have experienced a lost or stolen laptop or portable storage device.2

These losses of information can be very costly. According to a report published by Symantec, the average laptop contains data worth approximately $972,000.3 The Federal Bureau of Investigation Computer Crime Survey estimated that the average annual cost of computer security incidents is $67.2 billion.(4)

A study of the actual costs incurred by companies that lost confidential customer information indicates that the average direct, indirect, and opportunity costs to companies who experienced a data breach was $14 million per company.(5) Companies also saw an average cost of $140 for every customer with breached data.6 The average number of customers affected by breaches of confidential information was 100,000.7

The costs are not only monetary, but can also include loss to business reputation and customer good will. A recent survey indicated that when companies send notice to their customers that their data has been compromised, 19 percent terminate the relationship, 40 percent consider terminating the relationship, and 27 percent are concerned about the relationship.8 Fifty percent of the costs associated with recovery costs after a data breach are attributable to loss of existing customers.9

Businesses and government entities have recently faced intense scrutiny and negative publicity following theft of laptops and other mobile devices. This article will examine some of the details regarding the various thefts and losses and make some general recommendations about how to minimize the organizational impact and negative consequences following a loss.

II. Laptops Lost in 2006
Hundreds of thousands of individuals received notification this year that their personal information was compromised when criminals stole laptops or other portable devices containing sensitive information. This section will describe the facts from some of the prominent cases this year. Many of these cases are recent, and it is unclear what litigation, if any, will result from the data breaches.

a. General Electric
In early September, a General Electric official left a laptop computer in a locked hotel room. The laptop contained the Social Security numbers of 50,000 current and former employees. The official was authorized to have the data on the laptop. Thieves stole the laptop from the official’s locked hotel room.

Although there was no immediate sign that the information had been used improperly, the personal information on the laptop included all the information necessary to steal someone’s identity. General Electric offered one year of free credit monitoring for affected persons.

b. Ernst & Young
In four separate instances this year, Ernst & Young employees lost laptop computers. The laptops contained sensitive information about hundreds of thousands of Hotels.com customers and Sun Microsystems, IBM, Cisco, BP, and Nokia employees. In the March theft, four Ernst & Young employees left their laptops in a hotel conference room while they went to lunch. When they returned, their laptops, along with the sensitive data contained within, were missing. Ernst & Young claims that as of March 9, 2006, it required all of its employees to encrypt all the data on their laptops.10

c. Fidelity Investments
Fidelity Investments also suffered the embarrassing publicity associated with a data breach when it was required to notify 196,000 current and former HP employees that it lost a laptop. Fidelity indicated that it enacted additional security procedures to prevent unauthorized access to the HP accounts. Fidelity also offered free 12-month credit monitoring for the victims of the data loss.

d. University of Minnesota
The University of Minnesota instituted a policy in May 2006 regarding breaches of personal information.11 The University adopted a policy that was designed to “protect[] individuals from potential harm arising from the unauthorized continued, page 2 »