DDJ: With us today is Robert Scott, managing partner at Scott & Scott, a law and technology services firm that focuses on privacy and network security.
Rob, along with the Ponemon Institute, an independent privacy and information management research firm, you recently conducted a survey that examined the business impact of security breaches. What did you learn?
RS: We learned two things that were really surprising. First, despite the frequency of data breach events businesses are still unprepared. They do not have proper security policies in place, they are not taking advantage of encryption technology to protect data, and they are not consulting with legal counsel before responding to an event which could leave them vulnerable to legal liabilities. Second, we learned that businesses believed that data subjects typically suffered little or no actual monetary harm as a result. However, these businesses are required to notify all subjects of a breach regardless of the perceived threat -- a process that can be very damaging to a business’s financial health and reputation. If notification requirements are not providing tangible consumer benefits such as preventing possible future economic harm, then it may be time to reevaluate the requirements.
DDJ: Can you briefly tell us about the survey. Who were the respondents, for instance?
RS: There were a total of 702 respondents including various C-level executives, chief information officers, and a range of IT security professionals in mostly large businesses. The respondent businesses spanned all industries including financial institutions, insurance, retail, professional services, the technology sector, and so on.
DDJ: What practical lessons can be learned from the survey results?
RS: I can’t overstate the importance of encryption technology on all devices containing confidential information. It is the single most effective way to prevent the business risks associated with a data security breach. If information is encrypted not only does it render the data unreadable, but your company may be exempt from costly and damaging notification requirements.
DDJ: Is there a web site that readers can go to for more information on these topics?
RS: A copy of the survey report is available on our web site at www.scottandscottllp.com.