[ISN] Survey Assesses Impact of Data Security Breach

From: InfoSec News (alerts@private)
Date: Tue May 15 2007 - 22:26:00 PDT


http://www.ddj.com/dept/security/199501952

By Jonathan Erickson
May 15, 2007

DDJ: With us today is Robert Scott, managing partner at Scott & Scott, a 
law and technology services firm that focuses on privacy and network 
security.

Rob, along with the Ponemon Institute, an independent privacy and 
information management research firm, you recently conducted a survey 
that examined the business impact of security breaches. What did you 
learn?

RS: We learned two things that were really surprising. First, despite 
the frequency of data breach events businesses are still unprepared. 
They do not have proper security policies in place, they are not taking 
advantage of encryption technology to protect data, and they are not 
consulting with legal counsel before responding to an event which could 
leave them vulnerable to legal liabilities. Second, we learned that 
businesses believed that data subjects typically suffered little or no 
actual monetary harm as a result. However, these businesses are required 
to notify all subjects of a breach regardless of the perceived threat -- 
a process that can be very damaging to a business's financial health and 
reputation. If notification requirements are not providing tangible 
consumer benefits such as preventing possible future economic harm, then 
it may be time to reevaluate the requirements.

DDJ: Can you briefly tell us about the survey. Who were the respondents, 
for instance?

RS: There were a total of 702 respondents including various C-level 
executives, chief information officers, and a range of IT security 
professionals in mostly large businesses. The respondent businesses 
spanned all industries including financial institutions, insurance, 
retail, professional services, the technology sector, and so on.

DDJ: What practical lessons can be learned from the survey results?

RS: I can't overstate the importance of encryption technology on all 
devices containing confidential information. It is the single most 
effective way to prevent the business risks associated with a data 
security breach. If information is encrypted not only does it render the 
data unreadable, but your company may be exempt from costly and damaging 
notification requirements.

DDJ: Is there a web site that readers can go to for more information on 
these topics?

RS: A copy of the survey report is available on our web site at 
www.scottandscottllp.com


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Tue May 15 2007 - 22:40:03 PDT