Caution CFOs: Breach Ahead

On Saturday, May 21, Lockheed Martin detected a significant and tenacious attack on its information systems network. The company’s information security team … took aggressive actions to protect all systems and data. As a result of the swift and deliberate actions… our systems remain secure; no customer, program or employee personal data has been compromised.

This is a snippet of the statement released by Lockheed Martin late last month. It is clear that Lockheed was trying to get a grip on the incident, which was reported to have been linked to the earlier RSA breach.

The 2009 Data Breach Hall of Shame

Since the start of the year, we’ve seen numerous high-profile disclosure statements spanning industries as diverse as the gaming market with Sony and online marketing with Epsilon. This swath of takedowns can be taken as proof that executives, including CFOs, from every organization need to be on alert and prepared.

While Lockheed spends a good deal of time in its statement talking about IT, just as important is the CFO’s holistic view of what a breach — or even hint of a breach — could do to a company’s reputation. IT will be laser-focused on security technology, but it is the CFO that has to band together with other C-suite executives to assure stockholders, customers and other necessary parties that the company has a handle on the situation and is in control.

A March report released by the Ponemon Institute and Symantec finds that “the average organizational cost of a data breach increased to $7.2 million [in 2010] and cost companies an average of $214 per compromised record, markedly higher when compared to $204 in 2009.” Ponemon researchers added that “organizations’ need to respond rapidly to data breaches drove the associated costs higher.”

To inspire confidence in the wake of a disclosure requires significant upfront work. CFOs must be familiar with federal, state and industry privacy laws and their post-breach notification mandates. Organizations should have at the ready a formal statement, a method for notifying customers and possible mitigation plans such as having to quickly cancel user accounts or cards and issue new ones.

I highly recommend doing drills with various scenarios such as an actual breach that you know to have resulted in lost data; a suspected, but unconfirmed, disclosure of data; and the loss of data by a partner (as happened with customers of Epsilon).

Doing test-drives helps you understand who out of the organization has to be involved, what their roles are, and how quickly you can get in contact with your customers. It also gives CFOs an idea of what each scenario could cost the organization. If you ever doubt the impact of a possible loss, just remember that the Department of Veterans Affairs in 2009 paid $20 million to settle a class-action lawsuit surrounding the loss of an agency laptop that could have exposed clients to identity theft.

This could be you.