Opinion: Ignoring data breaches means ignoring risk management |
 |
By Larry Ponemon, Contributor
16 Mar 2006 | SearchSecurity.com |
|
|
Corporate America's concept of "consumer loyalty" has been replaced with its struggle to keep pace with an onslaught of privacy compliance mandates. Fostering customer confidence and trust is arguably the most critical element of building and maintaining an enviable reputation among competitors, yet businesses across the United States today are falling terribly short on this fundamental task.
Current consumer census reinforces that fact. Information transparency dictated by environment in the wake of the Sept. 11 terrorist attacks has evoked feelings of cynicism and helplessness among the American public, and for good reason. Banks, government organizations, retailers and healthcare providers now possess 24/7 access to personal data that, in the wrong hands, could pose an identity theft massacre.
|
|
|
|
|
The FBI cites identity theft as the fastest-growing crime in the nation, yet Congress waited until recent data breach disasters before even considering consumer risk.
|
|
|
|
|
|
|
|
|
|
All organizations -- no matter how strict the internal controls or how low the probability of human error -- are vulnerable to data security breaches. And the number of incidents continues to climb. The Ponemon Institute has discovered that during the past year, more than 120 major corporate data breaches have been reported, affecting nearly 56 million individuals.
A recent study conducted by Ponemon Institute found that breach notifications are causing organizations to lose millions of dollars to expenses and tens of millions to customer turnover. Recent incidents reported by CardSystems Solutions Inc., Time Warner Inc., Ameritrade Holding Corp. and the Federal Deposit Insurance Corp. are prime examples of how these breaches can not only become public relations crises resulting in class-action lawsuits, but also create an inability to attract and retain customers, severely crippling corporate brand reputation.
Thanks to new state laws prompted by these high-profile consumer breaches, businesses and government organizations are finding it nearly impossible to keep such breaches from becoming public knowledge. In fact, in states including Florida and Ohio, notification of any data breach with a "reasonable risk" of identity theft (characterized by third-party usability and/or likelihood to commit theft) must be disclosed to consumers within 45 days. This is a good start to holding these organizations more accountable to protecting consumer data. However, these changes only scratch the surface toward a solution and clearly are not enough to prevent the problem from worsening.
As it is with any pervasive problem, change demands the collaboration of leading business organizations and both the federal and state governments. The FBI cites identity theft as the fastest-growing crime in the nation, yet Congress waited until recent data breach disasters before even considering consumer risk. Consumers will not regain confidence and a sense of control until stricter standards and protocols are in place verifying that a company is "walking the walk" concerning its stated commitments to privacy and data controls. Notification plays a large role in determining consumer allegiance in the aftermath of a data breach. According to a recent national survey on data breach notification, companies that have a breach in data security are at least four times more likely to experience customer churn if they fail to communicate to their victims in a clear, consistent and timely fashion.
The cliche, "an ounce of prevention is worth a pound of cure," could not ring more true for corporations at risk today. Prevention begins with organizations taking a proactive approach to employing a variety of risk mitigation methods. Data protection practices need to be treated as a separate business, under a team of professionals specializing in security risk. Data protection is often overlooked in corporate disaster plans and many businesses are forced to deal with the consequences in the aftermath of a crisis.
To that end, companies must understand their data through consistent, close inventory practices, ensuring its location at all times. Because it is never advisable to store all data in one place, companies need to consider remote offices and determine how much data each can and should safely store. The extra investment in the time it takes to conduct drills for moving and storing data will pay great dividends in the event that a breach occurs and in its aftermath.
|
|
|
|
|
If history serves as an indication, we have seen only a taste of the corporate and consumer consequences resulting from data breaches.
|
|
|
|
|
|
|
|
|
|
Companies also must explore the most effective technology. Encryption (for data and storage) exempts a company from reporting risk through protection from a majority of state laws. Deployment of software designed to identify enterprise risk as well as tracking devices such as GPS and RFID are crucial to finding and locating missing data. Archiving and copying data also will facilitate compliance with reporting obligations. In addition to these preventative measures, education plays a vital role. Companies must commit resources to instruct employees and consumers on the steps necessary to safeguard their own data.
If history serves as an indication, we have seen only a taste of the corporate and consumer consequences resulting from data breaches. Implications for the future of corporate America are undoubtedly becoming more widespread, potentially threatening the strength of U.S. business and the restoration of a thriving economy. It is time to take responsibility. Organizations and the entities that govern them must take swift action toward protecting consumers before they risk losing them and much more.
Dr. Larry Ponemon is founder of The Ponemon Institute, an organization dedicated to advancing
responsible information and privacy management practices in business and government. He is also a member of the Unisys Security Leadership Institute (SLI), a forum of nationally recognized security experts from business and government that provide insight into emerging security issues and best practices to organizations worldwide.
|
|
|
|
