Media Release: Lost Customer Information Surveys Results

LOST CUSTOMER INFORMATION: SURVEYS REVEAL CONSUMER REVOLT AND $14 MILLION AVERAGE CORPORATE COSTS TO CONTAIN BRAND DAMAGE

Results Distributed by PGP Corporation Show Substantial Impact from Consumer Data Breaches Involving 1.4 Million Compromised Records and $200 Million in Costs

Palo Alto, CA/14 November, 2005 - Two new surveys find customers are actively punishing companies that lose their confidential and private information. Conducted by The Ponemon Institute© and distributed by PGP Corporation, the surveys find that almost 20 percent of customers immediately terminated their accounts with vendors that lost their information, and an additional 40 percent considered termination. Companies participating in a parallel study estimated incurring an average cost of $14 million per breach incident, with costs ranging as high as $50 million. Reports are available from PGP Corporation at www.pgp.com/ponemon.

The survey - “Lost Customer Information: What Does a Data Breach Cost Companies?” - is the first of its kind to report data from actual cases of lost customer information and the associated costs incurred to recover. Covering 14 separate incidents, it represents 1.4 million compromised data records and almost $200 million in total costs. Total cost estimates include the actual cost of internal investigations, outside legal defense fees, notification and call center costs, PR and investor relations efforts, discounted services offered, lost employee productivity, and the effect of lost customers.

The related survey - “National Survey on Data Security Breach Notification” - reports results from 9,000 consumers, 12 percent of whom had received notifications of information mishandling. When extrapolated to the U.S. population, an estimated 23 million consumers have received such notices. Results showed 60 percent had terminated or were considering terminating their accounts.

“The increasing incidence of reporting of lost private personal records poses a serious threat to consumer confidence - and to vendor profits,” said Esther Dyson, editor of Release 1.0 for CNET Networks and a member of the PGP Business Advisory Board. “Yet it is the right thing to do because it is forcing companies to clean up their acts. Companies are beginning to understand the effect carelessness with data can have on their reputations and their bottom line.”

Report Findings
Top-level corporate survey findings:

• Average additional spending resulting from a single data breach was $5 million
• Reported costs ranged as high as $50 million for an insurance company
• Average total recovery costs were $140 per lost customer record
• Average loss was 2.5 percent of all customers, ranging as high as 11 percent

Top-level consumer survey findings:

• Nearly 12 percent of consumers received a breach notification in the last year
• This figure suggests an estimated 23 million adults have received such notifications
• Almost 20 percent immediately terminated their accounts
• An additional 40 percent are considering account termination

“Great companies know that customer acquisition and retention are the life-blood of long-term corporate success,” said Andrew Krcik, vice president of marketing for PGP Corporation. “A brand reputation built with hundreds of millions of dollars over decades can be destroyed by careless handling of private customer information. When the lifetime value of customers is so high and new customer acquisition so difficult, why destroy customer confidence when practical safeguards are available to prevent such an event?”

Regulatory Requirements
Corporations no longer have the option of hoping customers will not find out about mishandled information. Currently, 21 U.S. states have laws requiring that customers or employees be notified when protected personal information has been breached. Specific requirements vary by state, but this notification requirement is often waived if lost data was protected using encryption technologies. Notification legislation is also under consideration at the federal level.

“In my interviews with Chief Security Officers, encryption is by far the most commonly cited mitigation strategy for breach notification legislation,” said Jim Reavis, president of Reavis Consulting Group and editor of the CSOinformer newsletter. “The idea is simple: If you have a mobile device, database, or desktop computer protected with encryption from a proven vendor like PGP Corporation, companies and law enforcement have confidence that personal data on those systems is not subject to compromise.”

PGP Solutions
PGP Corporation has developed the PGP® Universal encryption platform to protect organizations from data breaches, regulatory notification requirements, and resulting costs. It allows IT organizations to provide data security to all internal departments and external partners that handle confidential information. Its proxy-based architecture allows for central management, with automatic operation, email infrastructure transparency, and elimination of laptop/desktop, gateway/server, and mobile/wireless encryption silos. It helps entities meet their business unit requirements for customer privacy, competitive protection, supply chain integrity, and “brand insurance” against public breaches - without disrupting users.

Once deployed, the PGP Universal platform is capable of provisioning 10 encryption applications in a combination of gateway and end-point locations. This “deploy-once, enable over time” approach allows organizations to address their greatest risks today and grow into a comprehensive security solution over time. Current PGP encryption suite applications include disk encryption, email encryption, digital signatures, secure data deletion, instant messaging encryption, Self-Decrypting Archives (SDAs), batch process/FTP encryption, secure tape/archive encryption, encrypted email delivery to all recipients, and an encryption Software Development Kit (SDK) for customized, internal applications .

About PGP Corporation
The global customer standard for encryption and digital-signature solutions, PGP Corporation develops, markets, and supports an integrated data security suite used by more than 30,000 enterprises, businesses, and governments worldwide, including 84 percent of the Fortune® 100, 66 percent of the Fortune® Global 100, and thousands of individuals and cryptography experts. During the past 10 years, PGP® technology has earned a global reputation for innovative, standards-based, trusted solutions. Contact PGP Corporation at www.pgp.com or +1 650 319 9000.

Media & analyst contact for PGP Corporation:
John Tran
Neale-May & Partners
+1 650 328 5555 ext. 277
jtran at nealemay dot com

###

Legal Notice Regarding Forward-Looking Statements
Some of the statements in this press release are forward-looking, including statements regarding the availability, plans, delivery, goals, development, expected features, expected benefits and competitive position of PGP products implementing or leveraging the PGP technologies. All references made to product feature enhancements, improvements in platform support or additional functionality are subject to change at solely PGP Corporation"s discretion. All future descriptions of PGP technology and products are subject to availability only if PGP Corporation decides to build them and when PGP Corporation decides to make them commercially available. Actual results could differ materially from those expressed in any forward-looking statements. Risks and uncertainties that PGP Corporation faces that could cause results to differ materially include risks associated with any unforeseen technical difficulties or software errors related to the final development and launch of any of PGP Corporation"s products; any technological or standards changes in the security, encryption and authentications market which could make PGP Corporation"s products less competitive or require feature changes in these products; any slowdown in the adoption by businesses of encryption suites, secure email, Internet technologies or related standard. The forward-looking statements contained in this release are made as of the date hereof, and PGP Corporation does not assume any obligation to update such statements nor the reasons why actual results could differ materially from those projected in such statements.

PGP and the PGP logo are registered trademarks of PGP Corporation. Product and brand names used in the document may be trademarks or registered trademarks of their respective owners. Any such trademarks or registered trademarks are the sole property of their respective owners.