- Related Stories
Data risk and consequencesMarch 8, 2006
Could your laptop be worth millions?January 27, 2006
Employee gadgets pose security risk to companiesNovember 15, 2005
Credit card breach exposes 40 million accountsJune 17, 2005
In the security hot seatApril 22, 2005
Bank of America loses a million customer recordsFebruary 25, 2005
While Congress and state legislatures debate which regulatory compliance laws to implement, we sit back, read the headlines about data breaches, and think, "Boy, that's going to cost that company a bundle in fines; thank goodness it wasn't us."
The missing subtext here is that regulatory compliance, while important, is a reaction. Regulatory compliance plays an important role in data security. But the heightened push for regulatory compliance also reflects the willingness of corporations either to adopt or ignore best practices when it comes to data security.
Customers aren't willing to do business with companies that don't make data security a priority. The Ponemon Institute suggests that 20 percent of the customers of a company whose data has been breached discontinue their relationship, while another 40 percent consider cutting their ties. All because of a single mistake.
That's why becoming compliant is only part of the battle. Regulatory compliance does not guarantee the integrity of corporate data. Nor will it guarantee happy customers. To be sure, there exist diverse threats, including Internet hackers, stolen laptops, lost tapes,
This wait-and-see attitude is in part an unintended by-product of compliance. Why implement a security and privacy solution until you know exactly what you'll need to satisfy Uncle Sam? There are several reasons offered up: Brand erosion, customer loyalty--even a company's very existence--are at stake. One breach can wipe out a going concern--regardless of how or if the government reacts.
Yet most companies' eyes are focused solely on Washington, D.C., because of the complexity of a holistic compliance solution at every level. A survey of American companies by analyst firm Enterprise Strategy Group discovered that 60 percent of companies never encrypt data backed up to tape, despite the fact that many recent high-profile breaches involve the loss of backup tapes or disks (unencrypted, of course). No wonder more than 80 million Americans were victims of a security breach in 2005.
The government's reaction to these breaches, in terms of fines and demands for greater regulation, generate headlines. But it was customers that put CardSystems out of business. CardSystems, a credit card processor victimized by a security breach that exposed the records of 40 million people in May 2005, lost a major contract with Visa. By December of last year, the company was forced to shut its doors.
Such fates can be avoided at a reasonable cost. According to Gartner, it costs $6 per customer to encrypt data. It costs $90 per customer to deal with a breach (which could have been rendered moot by encryption). In the CardSystems case, the perpetrators accessed networked data that was not encrypted. Had it been encrypted, CardSystems might well still be in business. In the case of stolen or lost records saved to tape or disk, encrypting the data would have rendered the records useless to thieves.
Management should worry more about protecting customers than simply appeasing regulators. The focus on regulatory compliance clearly is important. But equal effort should be invested in making the data secure as well.
Suresh Vasudevan is senior vice president at Network Appliance. He is general manager of its Decru unit.