About a year ago, MasterCard revealed that data thieves had breached the systems of its credit card processor, CardSystems Solutions, gaining access to an estimated 40 million consumer records from MasterCard, Visa, and other credit card companies. If this were the only major breach last year, the story might have been forgotten. But the incident was far from isolated.
In the months surrounding that breach, data leaks were reported by dozens of other name-brand, well-respected companies including Bank of America (BAC), Boeing International (BA), ChoicePoint (CPS), LexisNexis, Time Warner (TWX), and Wachovia (WB). Now halfway through 2006, instances of data exposure have been reported by Blue Cross, FedEx (FDX), Hewlett-Packard (HPQ), Honeywell International (HON), Wells Fargo (WFC), and several more.
These companies all employ experienced IT professionals and boast huge IT budgets, but they underestimated their exposure. Most companies think their data assets are well-managed and secure. Yet look what's happening. Companies are under attack from a spectrum of diverse threats, be they Internet hackers, stolen laptops, lost tapes, or disgruntled employees.
HUGE RISKS. Even the most respected, well-intentioned companies can be attacked and penetrated, and they represent only the tip of the iceberg -- the cases that make the headlines. In reality, every company is in jeopardy.
As a result of all these breaches, the records of roughly 55 million Americans -- essentially one in six -- were exposed in 2005 alone, according to USA Today. The recent loss of 26.5 million veteran records by the Dept. of Veterans Affairs indicates that the scale and scope of security breaches will continue to increase as organizations collect and store ever-increasing amounts of data.
Companies that routinely deal with sensitive data must reduce their exposure to data loss even further. Aside from the obvious fact that their customers and employees deserve the highest level of protection, it's the responsibility of executives to grow their company's bottom line, protect its brand image, and preserve customer loyalty. A data security breach can set a company's financials, brand equity, and customer base back several years in a single day.
AN OLD LESSON. ChoicePoint, a leading supplier of identification and credential verification services, spent $26.4 million in fines and legal fees after hackers stole the personal information of at least 145,000 of its customers. But there were greater losses to its bottom line that can't be measured on a balance sheet. The ChoicePoint incident led to roughly 750 cases of identity theft and congressional hearings that dogged the company's public relations and brand for the better part of the year.
How many customers left ChoicePoint in the wake of the incident? How many more potential customers took ChoicePoint off their short list? A 2005 study by the Ponemon Institute found that nearly 20% of customers working with companies that sustained a breach discontinued their relationship with the company. Another 40% were considering another vendor. That's 3 out of 5 customers, representing a massive decay of customer trust and brand equity.
How do you avoid becoming the next headline or the next company looking at a multimillion-dollar fine? Companies must have a systemic approach to protecting data: Put it in a safe place, restrict access, and ensure that only those who are authorized can obtain it. Essentially, you should create a data vault. Think of it like a safe deposit box for your data.
GOOD EFFORTS REWARDED. In order to gain access to a safe deposit box at a bank or financial institution, you need at least two keys -- one from you, the owner of the box, and one from the bank. In the digital world, the safety deposit box is encryption. It requires specific keys to access specific information.
A "key" is required for decrypting, as well as encrypting data. Without the key, a thief in possession of encrypted data has stolen little more than an empty container. Likewise, destroying the key for a piece of data effectively deletes that data. In an era when headlines pop up almost weekly about a new data breach, the value of staying out of the headlines is immense. Likewise, even if the incident is announced, a headline about stolen data that was useless because of your company's efforts to reduce risk might even be a boon to your brand.
Some companies are getting the message. Six months ago, the biggest customer base for encryption products sold by my company, Network Appliance (NTAP), was the government, particularly military and intelligence organizations. Now, financial-services companies are making substantial investments in protecting consumer data.
DOLLAR SENSE. And Iron Mountain, a company that provides records-management services for both physical and digital media to more than 90,000 companies, has repeatedly recommended encryption to protect sensitive data stored on backup tapes to all its off-site data-protection customers.
Nonetheless, most companies -- even some of America's biggest brands -- continue to take a wait-and-see attitude. In a 2005 survey of 388 U.S. storage professionals, analysts at Enterprise Strategy Group (ESG) discovered that only 7% of those storage pros always encrypt their data when it is backed up to tape, and 60% never do.
ESG also found that more than half of the surveyed organizations whose revenues exceed $1 billion never encrypt backup data, nor do nearly two-thirds of financial-services companies. More than three-quarters of governmental departments also fail to encrypt.
Gartner Research estimates that a company with at least 100,000 accounts to protect can spend as little as six dollars per customer account in the first year for data-encryption technology to prevent breaches. Compare that with an expenditure of at least $90 per customer account when data is compromised or exposed during a breach, to say nothing of the cost of brand damage. Likewise, these costs may escalate dramatically if proposed legislation is enacted mandating fines up to $11,000 per exposed and damaged customer account.
THE BUCK STOPS HERE. Data-security regulations could support companies in efforts to reduce risk now and in the future if laws were written to encourage businesses to employ risk-reducing technologies such as encryption, and/or make reasonable efforts to protect data. Congress can do so by providing such companies with safe harbor from regulatory punishment.
Some laws currently on the books do not distinguish between companies that lose data useful to thieves and those that lose data rendered useless by encryption. Making this distinction has been advocated in Washington by Network Appliance founder and Executive Vice-President Dave Hitz.
The bottom line is that it shouldn't take the government to convince companies to employ risk-reducing strategies. The out-of-pocket costs of encryption and data security as a whole are minimal compared with the potential financial, customer, and brand-equity losses companies can -- and have -- suffered as the result of a single breach.
Dan Warmenhoven is CEO of Sunnyvale (Calif.)-based Network Appliance
Printer-Friendly Version