8 Cheap Tips for Avoiding Pesky (and Expensive) Data Breach Notifications
IT and legal need to limit the risks associated with incident response while conserving resources--especially during the current economic downturn. These easy data breach protection tips shouldn't break the bank and may give you the elusive and magical ROI you need.
As an attorney who regularly handles security breach matters, I can tell you the problem with the state database security breach laws is that they are reactive and not proactive. While hard data is admittedly difficult to gather, there appears to be substantial evidence that security breaches are occurring very frequently, while at the same time (at least according to Javelin Strategy and Research's 2008 identity theft surveyidentity theft is actually going down. In addition, Javelin's findings indicate that the vast majority of identity theft issues arise, not from security breaches relating to data held by third parties, but from telephone and e-mail scams, security breaches on the consumer's own computers because of failure to use proper software, and lost wallets. In any event, there appears to be little hard evidence that demonstrates that consumers are able to avoid identity theft because they receive notifications when their electronic data may be subject to a security breach.
Nevertheless, if you check with your colleagues at other organizations you might find out that they are spending serious money—millions of dollars in dealing with notifications that could be better spent on better security procedures, technology or training. According to Javelin's survey, a security breach costs companies almost $200 per lost name in terms of costs associated with incident response (including, among other things, money spent on lawyers like me who assist in responding to an incident and drafting and sending out notices, payments to private investigators and forensic experts as well as payments to credit bureaus and insurance companies.) Others have reported a data breach that exposes personal information costs companies an average of $268,000 to inform their customers/employees even if the lost data is never used. This is crazy. (Also read TJX Data Breach: Ignore Cost Lessons and Weep.)
While we can't stop the insanity completely—last time I checked I am not a member of any state or federal legislature—it is our job (IT and Legal)—to try and limit the risks associated with incident response while conserving resources. These tips shouldn't break the bank and may give you the elusive and magical ROI you have been searching for:
data
Receive the latest security news as it breaks.
