It’s Monday morning and you’ve just settled into your office to start your day. Before you can even finish your first cup of coffee, there’s a light knock at your door. You look up and see one of the regional sales managers standing there, looking rather hesitant. You invite him in and ask what’s on his mind. He hems and haws and then says, “We’ve got a problem.” He proceeds to tell you that his notebook computer was stolen out of his car over the weekend. A copy of the company’s entire customer database is on that laptop, and neither the hard disk nor the customer file is encrypted. He thinks there might be as many as 20,000 names and payment information in the database. He says, “This is bad, isn’t it?” And you tell him, “You have no idea how bad.”
What would you do if this kind of scenario actually happened to you? Would you know who to contact first for help? Would you know what people or agencies you are required by law to notify? What will the company do to help affected persons or organizations—the ones who might have their personal or financial information compromised if it gets exposed? What would you tell the CEO?
If you think that one lost laptop isn’t that big of a deal, consider this recent story in the American Medical News publication:
"A physician with the Massachusetts Eye and Ear Infirmary was traveling abroad in 2010 when his laptop was stolen. There was no evidence that the patient data stored on the computer were accessed. The hospital reported the incident to HHS [U.S. Department of Health and Human Services], prompting an investigation that identified six areas of noncompliance with HIPAA privacy and security rules. HHS and the hospital announced Sept. 17 that they had reached a settlement and that the hospital would pay the $1.5 million [settlement agreement] and take corrective action to help ensure the security of mobile devices."
In this case, there was no evidence at all that the patient records were accessed, but the hospital still had to pay a significant fine for violation of government regulations.
Data breaches happen every day. While the breaches that result from hacking attacks grab most of the headlines, it’s the ones that result from careless or inadvertent actions that are most prevalent. A laptop is stolen, a USB stick is lost, a spreadsheet is posted to a website by mistake. These are the kinds of incidents that can happen to any organization. Consequently, every organization needs to be prepared.
According to the Online Trust Alliance (OTA):
"Businesses need to accept three fundamental truths about data: 1) the data they collect includes some form of personally identifiable information (PII) or “covered information”; 2) if a business collects data it will experience a data loss incident at some point; 3) data stewardship is everyone’s responsibility."
"Rather than be lulled into the belief it will not happen to your business, a well-designed plan is an essential part of regulatory compliance, demonstrating that a firm or organization is willing to take reasonable steps to protect data from abuse. Developing a plan can help to minimize risk to consumers, business partners and stockholders, while increasing brand protection and the long-term viability of a business."
Toward that end, the OTA has published a very thorough data protection and breach readiness guide. Regardless of the size of your organization, or the regulations under which you operate, this guide can help you assess the state of data protection in your organization and put together a coherent plan to 1) prevent a breach in the first place, and 2) be ready to respond if a breach does happen.
Read this guide today and sleep better tonight. Then get your act together to practice what is preached in the Online Trust Alliance 2012 Data Protection & Breach Readiness Guide.