[Dave Birch] I’m still curious to see whether we can assign a cost to identity for business planning purposes. One path to take is to simply look at the market value of stolen identities. Naturally, there is a spectrum here depending on what “identity” it is that has been stolen: Credit card details up for sale
email passwords can cost as little as $1 whereas credit card details go for up to $350. There must be a wide variation in these bands though: my e-mail password would surely be worth more than $1 to someone (I’d be crushed if it wasn’t) and David Beckham
‘s or Hillary Clinton
‘s would be worth even more. But those are special cases where the “theft” is very personal: in reality, the overwhelming majority of identity theft isn’t.
Technorati Tags: fraud, identity
If an identity is stolen, how much is lost? Figuring would surely help bound the value, at least for the purposes of basic business planning purposes. In a recent Utica college survey of U.S. cases, the median loss was $31,000. If this seems high it’s because the study only looked at the “big jobs”, the cases that were solved by the Secret Service (which, as we all know, as founded to stop counterfeiting?). A more general Gartner survey of consumer victims found an average loss of about $3,300 in the estimated 15 million annual cases in the U.S.
Gartner also said that implementing security is cheaper in the long run than having a data breach, which I’m sure is true, although when it comes to security most finance directors subscribe to Keynes maxim: in the long run, we’re all dead. Yet if Gartner’s figures are correct, the case is overwhelming, a real no-brainer. Gartner calculates that a data breach costs companies around US$300 per exposed account because of investigations, fines and lawsuits. On the other hand, better security costs around US$16 per account for the first year, and that cost falls over time. Why would anyone not do this? Either the figures must be wrong or companies are run by people who can’t do arithmetic.
These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]