Question: What did the study look at?
Scott: The study looked at the business impact of data breaches from the perspective of certain key questions around organizational preparedness, whether costs were measured, what caused the breaches and how breaches affected the organization's strategy going forward.
Question: What were some key findings?
Scott: 85% of the companies that responded said that they experienced loss of personal information, and that 42% of all of those losses came from devices such as laptops or PDAs. Of the companies that experienced loss, 54% subsequently implemented encryption. Only 27% of the companies that had no breach had encryption.
Question: What do you make of this?
Scott: Many companies are being far too reactive and failing to be proactive in implementing measures to avoid negative business consequences related to data breaches.
Question: What are you telling your clients?
Scott: That if you store personal information you're at risk for a data breach and the associated impacts measured in this study. We are telling them that there are a number of things you should be doing to mitigate that threat. Implementation of encryption technology is number one. They also should consider development of an incident response plan that is legally appropriate for their particular business requirements. They should make sure that there is appropriate training and awareness related to privacy and best practices. The final thing we are telling our clients in high-risk industries, such as financial services, is that they should consider corporate identity theft insurance.
Question: Do they listen?
Scott: Our clients are very receptive and many genuinely are concerned about data privacy, regulation, how to apply rules, and how to implement policies and procedures so they are not setting themselves up for a class action lawsuit on the back end.
Question: How can companies protect themselves?
Scott: We suggest to all our clients that store sensitive personal information — and particularly those in the financial service industry that are highly subject to criminal activity such as identity theft — that they consider insurance. It covers the cost of breach notification, the cost of crisis management and PR, the cost of providing credit monitoring services, and it pays for legal defense in relation to regulatory enforcement and private class action litigation. It covers the probable damages that result from a notice-triggering incident.
Question: What percentage of these laws release companies from liability if they encrypt?
Scott: I would say 98%. Most of the statutes have an express encryption standard written into the definition. They define personal information under the law as data being unencrypted or they use a harm standard that says [that if there is encryption there is] no probability of identity theft or harm to the victim, so the companies don't have to give notice. If all data on a lost laptop is encrypted and password-protected, you have a situation where there is no notice obligation. It started with house bill 1386 in California, approximately five years ago. Now 35 states have similar laws and there are federal provisions as well for financial institutions, which are federally administered. The laws that you have to look at are those in the jurisdiction where the person whose data was compromised resides.
Question: That's quite a carrot.
Question: So the bottom line is that companies need to pay attention to these issues both as good corporate citizens and also to protect themselves. Do they understand the cost of not doing so?
Scott: Measuring the costs of data breach is important, but only 21% of businesses that had a loss are even measuring the loss of customers. I guarantee when people start looking at the cost of losing customers more carefully they will look at insurance and encryption more carefully as well. More of them will avoid over-reporting. 37% of people just notified anyone without consulting experts to find out who had to be notified. They just notified the whole world. Over-reporting is a very, very poor decision. The key is to avoid over-reporting. Once you start down the path of doing reporting — once word is out — you have a media problem to deal with.
This Executive Briefing originally appeared in a weekly report from IT Business Edge.
This was first published in June 2007