Opinion: Ignoring data breaches means ignoring risk management

By Larry Ponemon, Contributor 16 Mar 2006 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Corporate America's concept of "consumer loyalty" has been replaced with its struggle to keep pace with an onslaught of privacy compliance mandates. Fostering customer confidence and trust is arguably the most critical element of building and maintaining an enviable reputation among competitors, yet businesses across the United States today are falling terribly short on this fundamental task.

Current consumer census reinforces that fact. Information transparency dictated by environment in the wake of the Sept. 11 terrorist attacks has evoked feelings of cynicism and helplessness among the American public, and for good reason. Banks, government organizations, retailers and healthcare providers now possess 24/7 access to personal data that, in the wrong hands, could pose an identity theft massacre.

The FBI cites identity theft as the fastest-growing crime in the nation, yet Congress waited until recent data breach disasters before even considering consumer risk.

All organizations -- no matter how strict the internal controls or how low the probability of human error -- are vulnerable to data security breaches. And the number of incidents continues to climb. The Ponemon Institute has discovered that during the past year, more than 120 major corporate data breaches have been reported, affecting nearly 56 million individuals.

A recent study conducted by Ponemon Institute found that breach notifications are causing organizations to lose millions of dollars to expenses and tens of millions to customer turnover. Recent incidents reported by CardSystems Solutions Inc., Time Warner Inc., Ameritrade Holding Corp. and the Federal Deposit Insurance Corp. are prime examples of how these breaches can not only become public relations crises resulting in class-action lawsuits, but also create an inability to attract and retain customers, severely crippling corporate brand reputation.

Thanks to new state laws prompted by these high-profile consumer breaches, businesses and government organizations are finding it nearly impossible to keep such breaches from becoming public knowledge. In fact, in states including Florida and Ohio, notification of any data breach with a "reasonable risk" of identity theft (characterized by third-party usability and/or likelihood to commit theft) must be disclosed to consumers within 45 days. This is a good start to holding these organizations more accountable to protecting consumer data. However, these changes only scratch the surface toward a solution and clearly are not enough to prevent the problem from worsening.

More on data breaches Authorities lasso alleged debit card ring Keynoters push for harsher data breach laws ChoicePoint settles FTC charges, pays $15 million

As it is with any pervasive problem, change demands the collaboration of leading business organizations and both the federal and state governments. The FBI cites identity theft as the fastest-growing crime in the nation, yet Congress waited until recent data breach disasters before even considering consumer risk. Consumers will not regain confidence and a sense of control until stricter standards and protocols are in place verifying that a company is "walking the walk" concerning its stated commitments to privacy and data controls. Notification plays a large role in determining consumer allegiance in the aftermath of a data breach. According to a recent national survey on data breach notification, companies that have a breach in data security are at least four times more likely to experience customer churn if they fail to communicate to their victims in a clear, consistent and timely fashion.

The cliche, "an ounce of prevention is worth a pound of cure," could not ring more true for corporations at risk today. Prevention begins with organizations taking a proactive approach to employing a variety of risk mitigation methods. Data protection practices need to be treated as a separate business, under a team of professionals specializing in security risk. Data protection is often overlooked in corporate disaster plans and many businesses are forced to deal with the consequences in the aftermath of a crisis.

To that end, companies must understand their data through consistent, close inventory practices, ensuring its location at all times. Because it is never advisable to store all data in one place, companies need to consider remote offices and determine how much data each can and should safely store. The extra investment in the time it takes to conduct drills for moving and storing data will pay great dividends in the event that a breach occurs and in its aftermath.

If history serves as an indication, we have seen only a taste of the corporate and consumer consequences resulting from data breaches.

Companies also must explore the most effective technology. Encryption (for data and storage) exempts a company from reporting risk through protection from a majority of state laws. Deployment of software designed to identify enterprise risk as well as tracking devices such as GPS and RFID are crucial to finding and locating missing data. Archiving and copying data also will facilitate compliance with reporting obligations. In addition to these preventative measures, education plays a vital role. Companies must commit resources to instruct employees and consumers on the steps necessary to safeguard their own data.

If history serves as an indication, we have seen only a taste of the corporate and consumer consequences resulting from data breaches. Implications for the future of corporate America are undoubtedly becoming more widespread, potentially threatening the strength of U.S. business and the restoration of a thriving economy. It is time to take responsibility. Organizations and the entities that govern them must take swift action toward protecting consumers before they risk losing them and much more.

Dr. Larry Ponemon is founder of The Ponemon Institute, an organization dedicated to advancing responsible information and privacy management practices in business and government. He is also a member of the Unisys Security Leadership Institute (SLI), a forum of nationally recognized security experts from business and government that provide insight into emerging security issues and best practices to organizations worldwide.

Tags: Database Security Management,  Data Privacy and Protection,  Identity Theft and Data Security Breaches,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Database Security Management IBM to acquire database security firm Guardium What is the best database patch management process? Unpatched vulnerability discovered in Microsoft SQL Server SQL injection continues to trouble firms, lead to breaches Oracle issues quarterly patches, fixes database flaws Database monitoring, encryption vital in tight economy, Forrester says Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Imperva assigns security risk levels to databases How to create configuration management plans to install DLP Database Security Management Research Data Privacy and Protection Quiz: Compliance-driven role management Interpreting 'risk' in the Massachusetts data protection law Strategies for using technology to enable automated compliance How to prepare for a FERPA audit How to find virtual machines for greater virtualization compliance Quiz: Virtualization and compliance Compliance in the cloud Researchers predict SSNs, crack algorithm putting identities at risk How to write a risk methodology that blends business, security needs PCI compliance requirement 3: Protect data Data Privacy and Protection Research Identity Theft and Data Security Breaches Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection University data breach exposes 163,000 women to identity theft TJX thrives following breach, bucks sour economy

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data encryption/decryption IC  (SearchSecurity.com) International Data Encryption Algorithm  (SearchSecurity.com) link encryption  (SearchSecurity.com) MD2  (SearchSecurity.com) MD4  (SearchSecurity.com) MD5  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary