[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Survey Assesses Impact of Data Security Breach


By Jonathan Erickson
May 15, 2007

DDJ: With us today is Robert Scott, managing partner at Scott & Scott, a 
law and technology services firm that focuses on privacy and network 

Rob, along with the Ponemon Institute, an independent privacy and 
information management research firm, you recently conducted a survey 
that examined the business impact of security breaches. What did you 

RS: We learned two things that were really surprising. First, despite 
the frequency of data breach events businesses are still unprepared. 
They do not have proper security policies in place, they are not taking 
advantage of encryption technology to protect data, and they are not 
consulting with legal counsel before responding to an event which could 
leave them vulnerable to legal liabilities. Second, we learned that 
businesses believed that data subjects typically suffered little or no 
actual monetary harm as a result. However, these businesses are required 
to notify all subjects of a breach regardless of the perceived threat -- 
a process that can be very damaging to a business's financial health and 
reputation. If notification requirements are not providing tangible 
consumer benefits such as preventing possible future economic harm, then 
it may be time to reevaluate the requirements.

DDJ: Can you briefly tell us about the survey. Who were the respondents, 
for instance?

RS: There were a total of 702 respondents including various C-level 
executives, chief information officers, and a range of IT security 
professionals in mostly large businesses. The respondent businesses 
spanned all industries including financial institutions, insurance, 
retail, professional services, the technology sector, and so on.

DDJ: What practical lessons can be learned from the survey results?

RS: I can't overstate the importance of encryption technology on all 
devices containing confidential information. It is the single most 
effective way to prevent the business risks associated with a data 
security breach. If information is encrypted not only does it render the 
data unreadable, but your company may be exempt from costly and damaging 
notification requirements.

DDJ: Is there a web site that readers can go to for more information on 
these topics?

RS: A copy of the survey report is available on our web site at 

Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com