Several bills are expected to be introduced in Congress soon that would have significant impact on how businesses are required to protect confidential information, as well as when and how they must notify the public in the event of a breach.
But, government will face a monumental challenge if it tries to define what exactly constitutes confidential data, or implements standardized rules for protecting said data.
The definition of sensitive information varies greatly across different industries and organizations. It can include personal info, company financial data, trade secrets and more.
Furthermore, a one-size-fits-all approach for data protection prescribed by government will not work. Protecting financial information for a small retail chain will not be the same as at an international bank. Each organization must decide for itself the proper policies for protecting data while still enabling business practices.
Only the board of directors is in the position to identify a company's “crown jewels” — from employee and customer data to trade secrets. When considering what information to protect, anything deemed “material” to the organization and subject to indemnity disclosure is a good benchmark for setting internal content protection policies. Most boards realize that if there is a financial risk associated with a breach, it is in their best interest to protect the data or face costly intellectual property loss and legal damages associated with a breach.
By not taking the appropriate steps to protect your data in advance of a potential breach, you could be exposing your company to tremendous risk — which could ultimately be your last mistake as a business.
Know what is the board's responsibility
From the - January 2008 Issue of SCMagazine »