Data breaches have become commonplace
It seems that every time a company makes a move, or doesn’t for that matter, it faces a new risk. If it’s not regulators passing new laws or investors demanding unprecedented access to the board and management, it is rogue outsiders or poorly managed intermediaries putting sensitive corporate data at risk.
The environment surrounding corporate data has become far riskier in recent years. It appears that few major companies have not experienced some level of data breach. Sometimes these breaches come in the form of malicious theft, deliberate distribution from an internal source, loss in transit or something as basic as a stolen laptop. Peter Teuten, president and CTO at Keane BRMS, explains that the types of possible breaches are associated with three key elements: theft, destruction and corruption.
Each of these elements comprises potential risks to the corporation in areas such as reputational risk, business interruption and disaster recovery, compliance/regulatory, extortion and legal.
Expensive and burdensome
For corporate lawyers and others faced with the task of protecting sensitive materials, this area is quickly becoming an ongoing nightmare. The penalties for failing to prevent data breaches, whatever the cause, also are becoming far more severe. Many states have passed strict new laws in the past two years, placing a far greater burden on companies to ensure security. But it is not just legislative risk that poses a problem. High-profile data breaches can lead to considerable media coverage and the effect on corporate trust and reputation is almost always negative. Shareholders and the public do not take kindly to having their information find its way into unknown hands. Monetary costs can be high as well: in most states the company is required to notify each victim of the breach and to take remedial action, and this can add up quickly.
The problem might seem overwhelming. But the statistics make for compelling reading. According to information gathered by the Privacy Rights Clearinghouse (PRC), a total of 329 data breaches occurred in 2007 alone. That figure includes public and private companies as well as universities and government departments. So far, up until June 15 this year, PRC says there have been 173 serious breaches. The total number of records containing sensitive personal information involved in a security breach since January 2005, as calculated by PRC, is 229.44 million. And clearly this is not just a matter of resources. Some of the largest and most respected companies in the country have experienced serious breaches in the past 18 months including Altria, Bank of America, JPMorgan, IBM, Pfizer, Merrill Lynch and American Airlines.
Prevention is the best medicine
But this is no time to lose hope. There are many things a company can do to minimize the risks of a data breach and also to mitigate negative effects when it does happen.
Teuten explains that prevention is all about process and that process is built around consistent and evidentiary precursors that can actually prevent the event from occurring. As with almost all other types of risk management, the fundamental steps are measure, manage and monitor.
The desired result is, of course, to prevent any breach from occurring. The only way to really prevent a breach is not only to take preventative precautions depending on your tolerance for risk but also to be able to consistently and repetitively apply processes that can continue to mitigate the risk on an ongoing basis.
‘In other words, there is no point building a disaster recovery plan and merely putting it on the shelf and forgetting about it. A recovery plan and a business continuity plan are no good unless they are continually tested and evaluated,’ says Teuten.
Perhaps the most fundamental part of any effective prevention plan is detection. Many events, as Teuten explains, go undetected and the longer this goes on, the worse the damage will be. In order to record and prevent a breach you need various technologies that can continually comb and scan integrity of data. ‘It is pointless to suggest that data is secure just because it is in a file or network. The integrity and flow of information must be monitored and assessed. The components of a good plan are integrity of the data, integrity of the network on which the data resides and integrity of the people managing the network,’ says Teuten.
It’s in the plan
Even the best prevention processes, however, won’t always work. So what should a company do in the event of a breach? As with any other problem, planning is key.
Guilty until proven innocent seems to be the attitude of the SEC and, in the UK, the Financial Services Authority, not to mention that of shareholders. Therefore, process and transparency are vitally important. If you can overtly show regulators or litigants that preventative steps have been consistently taken, adhering to a strong standard sufficient under normal circumstances, then you create defensibility.
In the case of a breach, you have to be able to generate from a business continuity perspective a recovery point objective (RPO) and a recovery time objective (RTO). The RPO basically lays out how the company can get the data back and how it can secure the data so that it will be of no use to competitors. Creation of this type of policy is key to any continuity model. The RTO is the timeframe in which this activity will take place.
Your RPO and RTO, Teuten explains, require a very clear set of predefined processes and a clear methodology of communication. The communication aspect is vitally important when dealing with litigants, regulators, shareholders and the media. Teuten notes: ‘You need to be able to define the nature of the event and the plan you have in place to deal with it. It all comes down to defensibility and your ability to communicate this effectively.
‘At the end of the day,’ Teuten highlights, ‘everything is peer-group related. The key point is that you are going above and beyond what your peers are doing and you are doing more than the next guy. If you are best in class then you should be quite safe.’
