Lost Laptops Cost $1.8 Billion Per Year

Only one-third of missing laptops have full-disk encryption for preventing data breaches, finds Ponemon study of European firms.

Mathew J. Schwartz, Contributor

April 21, 2011

3 Min Read

In the past year, 275 businesses in Europe have lost a combined 72,000 laptops, costing those organizations a total of $1.8 billion. Of the 265 laptops lost by the average organization per year, a company will typically only recover 12.

Those findings come from a new study from Ponemon Institute, sponsored by Intel. The report provides an interesting comparison to a recent study of laptop loss in the United States, also conducted by Ponemon, which found that the problem led to losses of $2.1 billion for surveyed companies, or $6.4 million per business. In the U.S. study, 329 organizations surveyed lost more than 86,000 laptops over the course of a year.

While the estimated costs of losing a laptop might seem high, the laptop itself is the least expensive cost involved. Indeed, according to Ponemon, cleaning up the resulting data breach typically accounts for 80% of the cost estimate. Other costs include forensics, lost productivity, legal bills, regulatory expenses, and lost intellectual property.

In Europe, the riskiest places to lose a laptop appear to be anywhere away from the office. In particular, 42% were lost offsite, such as when working from a home office or hotel room, while 32% were lost in transit or when traveling. Still, a surprising number--13%--were lost in the workplace, and an equal percentage of companies didn't know where laptops went missing.

Patterns of laptop loss between the United States and Europe are very similar, according to a blog post from Intel's Patrick Ward. "Like the U.S., the education and research, and health and pharmaceutical industries in Europe experienced the highest rate of laptop loss," he said. "This is most likely due to the fact that both industries have similar characteristics like high mobility."

What might not be surprising in the wake of seemingly nonstop breaches involving laptops that store sensitive information in unencrypted format--such as BP losing a laptop in February that contained Gulf claimant data--is that 31% of lost laptops stored sensitive or confidential information in unencrypted format. Indeed, only 34% of lost laptops used disk encryption, while 7% used some other type of anti-theft feature. In terms of recovering data, only 26% of lost laptops had full-disk imaging backup, though obviously many organizations use other types of backup capabilities.

Laptops that store valuable information are the most likely to be stolen. On the flipside, the study also found that they're the most likely to have full-disk encryption. "Our results suggest companies experiencing a higher theft rate are more likely to use disk encryption as a safeguard," according to the study. "In addition, companies choosing disk encryption are likely to have employees who routinely carry sensitive or confidential data on their laptop computers."

Why do laptops containing unencrypted, sensitive information continue to get lost and stolen? "If I read about one more laptop stolen out of a car that has 10,000 people's information on it, including social security numbers, I'm going to scream--it's inexcusable," said Linda Foley, founder of the Identity Theft Resource Center. "Why in the world would a company allow a policy to be in place where they could find it acceptable that [personally identifiable information] would leave the premises? For what reason does that need to be on a portable computer that goes back and forth--or any mobile device?"

One technique for stopping laptop loss was broached at least as far back as 2003 in Corporate Counsel magazine. The chief privacy officer at a back-office processing company for medical records made workers pay out of pocket for the cost of a lost or stolen laptop. That led to a 50% reduction in laptop loss--as well as a sharp rise in the use of cable locks--for the nearly 40,000 employees who used laptops.

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights