By JIM WHETSTONE, senior vice president, Global E&O, Hiscox Global Markets US
Robert Carr, the CEO of Heartland Payment Systems, has a message for corporate leaders concerned about data breaches: The time is now for the widespread adoption of end-to-end encryption as the next line of defense. The source of Carr's revelation? His payment processing company may have experienced the largest data breach in history, with an estimated 100 million credit-card accounts affected, according to industry analysts.
But if Carr's message is particularly timely given the sharp rise and increased cost of data breaches, it doesn't appear to be universally heard. In fact, 38 percent of Fortune 500 companies in industries where there is a high probability of handling material amounts of personal data, including credit cards, did not explicitly mention privacy/data breach in the risk factors section of their SEC 10-K filing, according to a recent Hiscox Privacy study, Data Privacy and Corporate America--Who's Recognizing the Risk?
Even companies that acknowledge the risk may understate its scope and impact. Of the companies that did include the risk of a data breach as a risk factor on their 10-K, 26 percent failed to mention the potential financial impact. Given the potential for significant reputational damage, it's surprising that just under half (49 percent) failed to identify the reputational risk.
These findings raise two important questions: Do companies fully appreciate the risks they face, and are they doing enough to control and mitigate that risk?
MANY SURPRISES, ONE POWERFUL SOLUTION
There were other surprises in the study. In the specialty retail sector, which has had some of the most costly and high-profile breaches, 52 percent of companies didn't mention privacy/data breaches at all in the risk factors section of their 10-Ks. Clearly, some companies may not be fully acknowledging the risk, which begs the question: How aggressively are they acting to address it?
This is particularly troubling in light of the fact that companies can fight back. While there is no single technology solution to data security, end-to-end encryption is a powerful and effective tool. This approach protects data that is both stored--on company databases, laptops and backup media--and in transit across public and private networks, such as the Internet and e-mail.
Just as anti-virus, firewall and intrusion-detection technologies have over time become standard practice with respects to information security, encryption has emerged as the next logical step.
Encryption technology is becoming more available, more manageable, more functional and more cost-effective. Moreover, by encrypting sensitive data, companies can further focus their attention on access controls, monitoring and those instances when the data must be decrypted for use. And according to a 2008 study on encryption by the Ponemon Institute, organizations with an enterprise encryption strategy showed a statistically significant lower rate of data breaches.
In addition to its other benefits, encryption also offers another huge advantage--legal "safe harbor." Mandatory disclosure of a data breach is arguably the source of almost all of the resulting financial and reputational impact to the company.
Thus, it is significant to note that a great majority of state data-breach notification laws have a provision that exempts companies from notifying affected individuals and institutions if the compromised data was encrypted. A similar provision included in the American Recovery and Reinvestment Act of 2009, recently signed into law by President Obama, applies an encryption safe harbor to the Health Insurance Portability and Accountability Act (HIPAA), which has broad application.
Despite those benefits, however, encryption is still not the norm at many businesses. Just 21 percent of companies have an encryption strategy that is applied consistently across the organization, according to the 2008 study by the Ponemon Institute.
While more than two-thirds--74 percent--have implemented some type of encryption strategy, business is becoming increasingly mobile and interconnected such that a siloed approach to encryption is limited in its effectiveness and manageability. Encryption is most effective when it is a platformed approach, employed across the entire enterprise.
The complexity of the data security landscape and the benefits of end-to-end encryption highlights the need for legal, IT and risk management to work closely together to address the exposure. Risk managers should work with the IT department to understand the degree to which the company handles sensitive data and how it's protected.
With legal and regulatory scrutiny and actions on the rise, risk managers must also collaborate with attorneys and other specialists to understand their obligations and the ramifications of the various privacy and data security regulations. And in the current economic climate, IT budgets will be tight, so all should work together to analyze the cost and benefits of encryption relative to other IT projects.
In terms of securing insurance coverage, risk managers will see the providers of privacy and security insurance take a more cautious underwriting approach as the exposure grows and claims and losses mount. In addition to establishing the working relationships with their IT and legal counterparts, risk managers should work with a qualified broker and a knowledgeable underwriter who can help navigate this very fluid situation.
As data becomes more ubiquitous and more valuable, risks increase exponentially. Company leadership--and their 10-Ks and security best practices--must reflect and act on this reality.
May 1, 2009
Copyright 2009© LRP Publications