Working With Us | Products | Case Studies | FAQ | About Online Media

At a Loss Over Data Loss

Sep
8
2006

Unless you’ve been living under a rock the last couple years, you’ve probably noticed the regular headlines telling of companies that have lost sensitive information. Whether through the negligence of employees or through acts of deliberate calculation on the part of individuals with criminal intent, data known as “personally identifiable information – information that can be used to perpetrate credit and identity fraud – is seemingly exposed to unauthorized eyes on a perpetual basis.

Through my work with the Ponemon Institute I’ve had the privilege of being involved in a number of recent studies on this issue. It’s been interesting and enlightening. Anyone with half a brain can clearly see there’s a problem. Corporate data security systems seem to be made by the same company that makes colanders.

Since I last touched on this topic as part of the “Fear of the Unknown” series, there have been more high profile leaks, including AT&T, Sovereign Bank, and more. I’ve also been affected by another breach – my second this year – having just this week received notice from the Carlson Companies that a laptop containing information about me was swiped from an employee’s “locked rental car.”

So what have I learned from my foray into the world of industry analysis?

Companies don’t give a rat’s toches about protecting your personal information.

Okay, that’s a rather broad statement, and there are plenty of companies that do go to great lengths to keep prying eyes from your files, but consider how easy it was for HP’s board to employ pretexting in order to sniff out their own rat by accessing cell phone records.

According to one of the Ponemon studies, 81 percent of companies surveyed said protecting personal information was a priority (only 81?). But when 81 percent of companies also reported losing a mobile device containing the personal information of customers or employees, there’s an obvious disconnect.

Furthermore, a second study on the subject reveals that 63 percent of companies have no confidence in their ability to prevent a data breach. So much for priorities translating into action and results.

Cost seems to be a factor. If a solution to the data loss problem requires paying out big bucks, the actuaries get to work deciding if the investment is worth it. In other words, if a product designed to prevent the problem costs $5, and the cost of an incident is determined to be $20, but the chances of such an incident occurring are only 1 in 6, that means the odds are a company will save money in the long run by not spending the money. (Those are my hypothetical numbers, by the way, not anything derived from the study.)

Again, so much for priorities.

One consistent finding, and a factor that strikes at the root of the problem, is that there appears to be no executive accountability. In other words, the individual responsible for preventing the problem doesn’t have a “C” in his or her title – as in “chief executive” or “chief technology officer” – or doesn’t have spending authority. Proclamations may be issued from the corner office or the boardroom, but no one with the power to actually make things happen has the digital Sword of Damocles hanging over their head.

If there’s any good news for us common folk, it’s that the actual risks are low that our compromised information will be put to evil use, but that’s cold comfort when you stop to think of what low regard we’re held by the companies with which we do business each day. Your bank, credit card company, retailer, school… few of them seem to care.

What are our options? Vote with your feet. Related studies suggest that a negative consumer response to data breaches can cost. Let those companies know that you value the security of your private information and will only do business with companies that respect the same. If you get a notice, or hear of an incident in the news, take your business elsewhere and let them know exactly why.

When, collectively, we take action that costs a company money, things will begin to change.

Share  Posted by Mike Spinney at 4:42 PM | Permalink

<< Back to the Spotlight blog

Mike Spinney's bio
Email Mike Spinney




Get Our Weekly Email Newsletter




What We're Reading - Spot-On Books

Hot Spots - What's Hot Around the Web



Spot-on.com | Promote Your Page Too

Spot-on Main | Pinpoint Persuasion | Spotlight Blog | RSS Subscription | Spot-on Writers | Privacy Policy | Contact Us