Data breaches involving privacy information continue to increase despite the costs, embarrassment and negative publicity associated with them. Common themes exist in these two recent breaches:
- In May 2009, UC Berkeley's health services systems were breached, exposing the private information including Social Security numbers of 160,000 people.
- In September 2009, the University of North Carolina's systems were breached, exposing 163,000 Social Security numbers of women taking part in medical research.
Although these two examples came from the health care segment in universities, privacy breaches are occurring with startling regularity across all industries and companies. So what is it going to take for companies to start taking these seriously and institute the proper level of security to prevent them? Is the answer more government regulation, or are enough companies already going through the normal processes to plan and deploy these protections?
I suspect that, for many companies, the cost of a data breach may be just another cost of doing business. For these companies, the costs of a breach, which studies have shown to be anywhere from $150 to $300 per record, are weighed against the costs of process change, education, security technology, and ongoing maintenance associated with reducing the risk of breach. Unless a senior executive intervenes and weighs in on the importance of brand protection and reputation, many companies choose to take a reactive rather than proactive approach.
However, for any individual whose privacy has been compromised, it is a major cost and hassle. It seems as if the pain of an individual or a group of victims is not enough to justify proper privacy protection by a company. This is one reason why there are many new government regulations being enacted to protect individual privacy, at both the federal and state level.
Regulations such as PCI, SB-1386, and HITECH affect many companies and industries, and are generally thought to be well constructed for protecting individual privacy. But what about nonregulated industries where neither of these regulations apply? If there are significant privacy records to protect in any industry, it is only a matter of time before the government will step in with regulation if companies in that industry fail to adequately address privacy issues. The government doesn't care if you lose critical manufacturing plans to a competitor, or other intellectual property. They don't care if all your customer contacts are stolen and sold to your competitor. Protecting this type of information is something that a company should already be doing in order to protect their competitiveness. But the government does care if individual privacy is at risk, and will step in if companies don't step up.
Why is implementing a solution to prevent data loss so difficult? To be fair, this is not a problem that can be solved by one single technology. Addressing this problem often involves understanding how data is handled and transmitted, where data is stored, and educating employees about company policies. IT and security professionals often get overwhelmed by all the different potential leak channels and threats, and don't know where to start.
A layered defense is required for a comprehensive solution to data breach protection. Protecting against external threats such as data-stealing malware, hackers, and web application attacks is the first line of defense. This needs to be augmented by data loss prevention solutions which include both content monitoring and filtering as well as encryption capabilities. The ‘insider threat,' which arises from employees, contractors and partners, is often the source of the most damaging breaches, either due to carelessness or malicious criminal activity.