The Ponemon Institute released their 5th annual 2009 Annual Study: Cost of Data Breach last month.  This year, the report explored several new areas and came up with some interesting and in some cases surprising conclusions.

These include:

- Customer/patient/client churn rate, the tendency for a data breach event to cause them to “vote with their feet” and choose another provider, remains the key cost driver for data breach incidents. Such lost customer costs are typically 2/3rds the cost of a data breach. Industries that exhibit the highest churn rates are healthcare, pharmaceuticals and communications (all 6%).

- Almost half (44%) of organizations outsourced the data breach response effort to an expert third party consultant. When outsourced in this way, the costs per victim declined a huge 26% vs. companies that “go it alone”. The ability to reduce costs by outsourcing the response process is counterintuitive to some, but validates the value of an outside consultant that is knowledgeable and can execute using best practices

-  “Companies that notify too quickly may incur higher costs”. This was surprising to me. The study found that these “quick responders”, organizations that notified within one month of detection of the breach, ended up paying 12% more than their peers. The assumption was that moving too quickly through the process causes inefficiencies that can be avoided.

As always, the study and report is full of valuable and interesting data and perspective for privacy, information security,  legal and financial officers. It is a “must read” for anyone in a relevant role at an organization that is entrusted with PII and PHI, especially the CISOs who are most frequently the organizational members responsible for the handling of data breach incidents.

By Rebecca Seaman

In this tough economy, many of us are actively searching for employment. In most cases, quite a bit of personal information is required to get hired. The question is when and under what circumstances should you disclose this personal information?

If you are just placing an initial application, the potential employer needs to know your name, relevant work history, and little else. They do not (In most cases- specialized or Federal positions may be an exception) need or require your Social Security number, drivers license number, maiden name, etc. In fact, I personally will not even provide detailed address information on my resume or initial applications. I simply provide City, State and Zip Code. This information is private and should not be required to secure an interview.

When will you need to provide more detailed personal information such as Social Security number? My advice is only after you’ve had an interview and the employer has expressed an interest to bring you aboard contingent on a background check. If your potential employer is not requesting a background check, then I suggest you only provide sensitive information once an offer has been extended and you are filling out tax documents.

Please be sure to safeguard your personal information, even when job hunting. I have personally seen initial applications asking for sensitive information, but it is never a required field by law. Remember, what you transmit over the internet has the potential to become exposed.  If you have any doubts at all, please research the company with the Better Business Bureau or your state AG before giving any organization your Social Security number.