Wednesday, April 18, 2007

Would you shop at a store that lost your data?

Would you shop at a store that lost your data? Would you attend a university that exposed your SSN? Would you donate to that university? If you were a veteran, what would you do if the VA lost your data and didn't know where it went? Do you feel better knowing that your data is out there, and does it worry you to think that many organizations don't announce breaches of your private data?

There seems to be a split between consumers response when polled and their actual behaviors. In the articles I've linked about consumers in the UK, the majority of those polled claimed that they would take their business elsewhere if their data was exposed. The counter article notes that TJ Maxx has gained sales in the past year - in fact, they saw 6% gains in March alone. It may be that notification requirements won't kill our organizations, even if they are embarrassing.

Does this point to consumers accepting data security breaches as commonplace? Stories of people receiving multiple notifications from different organizations in a day or two are floating around, and consumers rail against irresponsible companies. Even if consumers are fed up, it seems that we, as consumers, may be reaching the point that we become used to our data being exposed. The cost of doing business in our current information society is that our data is at risk, and we frequently cannot control how much data companies gather about us. Even if we limit what we give one company, our data can be correlated to data in other databases.

What is the moral of the story for organizations? Is it "Consumers will come back" or is it "Breaches can kill you"? Only time will tell. It may be that in the near term, the huge numbers of organizations leaking data will cause consumers to become inured to the data losses. The legislative backlash that we are seeing nationwide will surely have some effect, both due to required reporting and due to more stringent requirements.

Where does that leave the security professional? With questions, of course:

  1. Are you required by state or federal law to notify, and if so, how, under what circumstances, and how quickly?
  2. What is your organization's breach notification policy?
  3. Do you have procedures in place to handle breach notification?
  4. Do you have an internal communications plan?
  5. Have you looked at insurance? Data breach and information security insurance is just becoming available, and it may be worthwhile for your organization. Dennis Trinkle mentioned insurance in his presentation at the Indiana Higher Education Security Summit - the insurance is out there if you're looking for it.
For now, security folks need to keep track of the laws - both those that are on books, and the bills entering both state and federal legislatures. If you have vendor requirements like PCI you need to make sure that you meet or exceed them. You also need to make sure that our own policies and procedures keep up with both law and other requirements.

No comments: