Data security and regulatory illusions

While Congress and state legislatures debate which regulatory compliance laws to implement, we sit back, read the headlines about data breaches, and think, "Boy, that's going to cost that company a bundle in fines; thank goodness it wasn't us."

The missing subtext here is that regulatory compliance, while important, is a reaction. Regulatory compliance plays an important role in data security. But the heightened push for regulatory compliance also reflects the willingness of corporations either to adopt or ignore best practices when it comes to data security.

Customers aren't willing to do business with companies that don't make data security a priority. The Ponemon Institute suggests that 20 percent of the customers of a company whose data has been breached discontinue their relationship, while another 40 percent consider cutting their ties. All because of a single mistake.

That's why becoming compliant is only part of the battle. Regulatory compliance does not guarantee the integrity of corporate data. Nor will it guarantee happy customers. To be sure, there exist diverse threats, including Internet hackers, stolen laptops, lost tapes, disgruntled employees--and that's just a few. But there are plenty of great technologies, including encryption, that provide as close as possible to bulletproof security and privacy. The irony is that so many companies continue to drag their heels when it comes to using what's available to protect themselves.

This wait-and-see attitude is in part an unintended by-product of compliance. Why implement a security and privacy solution until you know exactly what you'll need to satisfy Uncle Sam? There are several reasons offered up: Brand erosion, customer loyalty--even a company's very existence--are at stake. One breach can wipe out a going concern--regardless of how or if the government reacts.

Yet most companies' eyes are focused solely on Washington, D.C., because of the complexity of a holistic compliance solution at every level. A survey of American companies by analyst firm Enterprise Strategy Group discovered that 60 percent of companies never encrypt data backed up to tape, despite the fact that many recent high-profile breaches involve the loss of backup tapes or disks (unencrypted, of course). No wonder more than 80 million Americans were victims of a security breach in 2005.

The government's reaction to these breaches, in terms of fines and demands for greater regulation, generate headlines. But it was customers that put CardSystems out of business. CardSystems, a credit card processor victimized by a security breach that exposed the records of 40 million people in May 2005, lost a major contract with Visa. By December of last year, the company was forced to shut its doors.

Such fates can be avoided at a reasonable cost. According to Gartner, it costs $6 per customer to encrypt data. It costs $90 per customer to deal with a breach (which could have been rendered moot by encryption). In the CardSystems case, the perpetrators accessed networked data that was not encrypted. Had it been encrypted, CardSystems might well still be in business. In the case of stolen or lost records saved to tape or disk, encrypting the data would have rendered the records useless to thieves.

Management should worry more about protecting customers than simply appeasing regulators. The focus on regulatory compliance clearly is important. But equal effort should be invested in making the data secure as well.