Protecting Data is Never Having to Say You're Sorry

According to the Enterprise Strategy Group ("Transitioning to an Information Infrastructure," June 2007), "While it is not found on a balance sheet, information is quickly becoming a leverageable corporate asset that has both value and risk implications."

Most enterprises seem to have a good handle on leveraging the value side of information, because that's what they do. They gather information and use it to make money. Typically, however, not nearly as many resources nor effort are put into protecting that information. It's not that your typical large enterprise doesn't do anything to protect their data; it's just that they don't do enough. And if something bad happens to that data, an apology just isn't going to cut it.

This problem literally affects everyone. How many times have you filled out a form online, or opened an account down at your local bank to find yourself cringing a little when the bank officer cheerfully asks for your "social." I know I always give it to them without arguing, but what I really want to ask them is what they are going to do to protect it and all the other personal information I'm freely handing them.

I know that if I did ask the question, they would all have a ready, and soothing, answer. I'm sure at least one of the Titanic's passengers walking up the gangplank asked a crew member if the ship was really unsinkable. The answer would have been a firm, reassuring yes, but, sadly, it wasn't the real answer.

I'm sure that every responsible enterprise today believes that they are adequately protecting the sensitive and confidential data they have been entrusted with. Well, the truth is - they are not.

Take a look at, DataLossDB.org. This site tells the true tale of documented and reported data loss incidents world-wide. Let's just say, I was astounded at the enormity of the problem.

Big companies. Lots of data. Big problems. Did anyone get so much as an apology? And who is impacted by these security breaches? Everyone. Businesses. Customers. Employees. Suppliers. That's where it gets personal.

I speak from experience because my personal information was compromised in 2006 when Fidelity Investments lost a laptop containing the personal information of 196,000 retirees and former employees. Yes, I was among them. According to Computerworld, that theft may have exposed such information as names, social security numbers and compensation details .

According to a survey conducted by the Ponemon Institute, of 700 US-based, C-level executives, managers and IT security officers in mid-size to large-size businesses, organizations that experienced a data breach incurred the following costs:

• 74% report loss of customers
• 59% faced potential litigation
• 33% faced potential fines
• 32% experienced a decline in share value

The Ponemon Institute conducted another study on the cost of a security breach and found that companies spend almost $200 per name breached. They also found that the money is spent on, among other things, lawyers, private investigators, forensic experts, credit bureaus and insurance companies.

I have no idea if the incident back in 2006 cost Fidelity $39M (I called to check, but unfortunately Fidelity is a private company). Though, I do remember getting a free year membership to Equifax and a form letter of apology. I wouldn't have traded my personal data for those things, but at least they were sorry.

My personal ordeal, of course, begs the larger question. With the cost of a breach so high - why are there so many breaches? I am guessing because it is difficult for those responsible (yes, us managers) to effectively build the business case for providing adequate controls for our information.

A recent article on CIO.com ("Myth or Truism? Security Experts Judge," November 10, 2008) asked several experts whether it is possible to measure the Return on Investment (ROI) for security.