Uncle Sam's newest security challenge to businesses
Congress will soon consider new laws to better protect businesses against security breaches. Websense CEO Gene Hodges argues against a one-size-fits-all approach.
Over the past two years, data leaks have compromised more than 150 million personal-data records, according to the Privacy Rights Clearinghouse.
These breaches come with a high price tag. Forrester Research says that a security breach can cost anywhere between $90 and $305 per record, meaning that the cost of a single, significant breach may run into millions or even billions of dollars. The problem is certainly not going away, and it's no surprise the federal government is considering laws to mandate how sensitive data is handled.
This fall, pending legislation could have a significant impact on how businesses are required to protect confidential information, as well as when and how they are required to notify the public in the event of a breach. Several legislative bills are expected to be introduced in Congress that would specifically address identity theft protections, the storage and encryption of sensitive cardholder data, and wireless data security.
The outcome of this legislation remains uncertain, but it appears there is building support within Congress to take more proactive measures for enforcing higher data security standards.
The business world has already experienced the impact of government attempting to control the inner workings of an organization. Sarbanes-Oxley is well-intentioned, but the cost of compliance has been staggering for many businesses. A recent study by Foley & Lardner found that since 2001, the average cost of SOX compliance for companies with under $1 billion in annual revenue has increased more than $1.7 million to approximately $2.8 million.
It's important that all of a business' stakeholders--employees, partners, and consumers--are promptly notified when confidential information has been breached. This could include personal information, trade secrets, financial data, and more. However, the government will face a monumental challenge if it tries to prescribe: 1) what exactly constitutes confidential information and 2) how to protect said data.
Across different industries and organizations, the definition of sensitive information varies greatly. It may be patient forms at a hospital, patent applications at a research facility, or credit card numbers at a retail store. There are common threads among all industries, such as employee Social Security numbers, but the nuances from one business to the next will make it nearly impossible to make an overarching definition of sensitive information.
It's logical to expect that compliance with data protection laws could have financial implications similar to SOX. The laws will likely require a combination of technology and processes to protect data, which are ultimately going to have hard costs and could take time to implement across the board.
A one-size-fits-all approach to data protection simply won't work. Protecting financial information for a small retail chain will not be the same as what's required for an international bank. It's important for the government to compel businesses to notify the public promptly when a breach has occurred, but the onus is on the business to determine what data it needs to protect and to implement the right policies and technology to ensure it's secure.
The board is in the best position to identify the company's "crown jewels"--from employee and customer data to trade secrets. When considering what information is most important to protect, anything deemed "material" to the organization and subject to indemnity disclosure is often a good benchmark for setting internal content protection policies.
Most boards will realize that if they have an indemnity disclosure and financial risk associated with a data breach, it is in their best interest to protect their sensitive data or potentially face costly intellectual-property loss and legal damages associated with a breach.
Once sensitive data is identified, technology can be employed that acts as a digital content guardian, controlling who accesses the data and how it's accessed, as well as where and how it's shared. No one knows your business like you do. However, by not taking the appropriate steps to protect your data in advance of a potential breach, you could be exposing your company to tremendous risk--which could ultimately be your last mistake as a business.