Privacy and Data Security a Concern for All

Information security encompasses the processes that an organization employs to protect and secure its systems, media, and facilities for processing and maintaining vital information. The processes to safeguard confidential data – including personally identifiable information (PII) of principals, employees, contractors, clients and other individuals – are the primary defenses of an Information Security Safeguard Program. An organization can be adversely affected if information becomes known to unauthorized parties, is altered, or is not available when needed. Executives need to be ever mindful of the strengths and weaknesses of their Information Security Safeguard Program, in particular the financial, operational, and reputational risks to their organizations. Now more than ever, the ability to effectively manage, protect and share PII, intellectual property, and other sensitive data in a cost-effective manner – both within an organization and with strategic partners, trusted advisors, clientele, and other parties – is crucial. This is the first of a series of articles highlighting concerns surrounding Information Security Safeguard Programs.

All enterprises operate, formally or informally, in a framework. Like people who perform different roles in an organization, systems fit together to provide the tools necessary to succeed in meeting goals. Systems as diverse as financial, staffing, customer relationship, and enterprise or operational solutions are all vital pieces of the puzzle, and each must effectively interface with the others to provide key professionals with individual or shared access to vital knowledge.

Each interface must be carefully constructed to protect the information that flows through the interface and from system to system. Each interface opens a window and inherently offers an opportunity for risk — any slight flaw or unconsidered possibility provides an opportunity for exposure or breach of security, whether through malfeasance, ignorance or neglect. As privacy and information security is one of the most pressing concerns of our time, we know that exposure to this risk can result in a number of critical problems as well as exposure to severe regulatory penalties, litigation and significant reputational damage. A recent example would be the ATM PIN breach at Citibank.

In their December 2009 issue, Compliance Week magazine published the results of a poll of corporate audit, risk, compliance, and governance officers. The upside is that 80% of respondents say they have made at least an organized effort to manage privacy compliance. However, only one third said their efforts were managed and proactive. It gets worse: one out of five called their efforts “siloed and inconsistent.” And one more thing: Congress is working on still more new rules to govern how enterprises manage their privacy efforts.

So what are the primary concerns facing enterprise managers?

Identity Theft. The threat to both individuals and enterprises from the potential exposure of sensitive personal data is a multi-billion dollar concern. Identity theft is the term used to define all types of malfeasance where someone illegally obtains and utilizes, and normally profits from, another person’s personal information in a way that involves fraud or deception. The Citibank example cited above is a strong reminder of what can happen, as is the breach at retailer TJ Maxx (where more than 45 million credit and debit card numbers were exposed).

Data Theft and Fraud. It’s not just identity theft that is a concern. If financial systems are compromised, then monetary theft, fraud, embezzlement and many other concerns may rear their heads – sometimes from an unhappy employee (or ex-employee) with inside information, sometimes from an outside source.

Reputational Risk. Often, the blame in the court of public opinion is assessed to the organization that was breached. When the enterprise can be seen as negligent at best, the public will view them negatively.

Risk of Sanctions. Regulators such as the Federal Trade Commission, states’ attorneys general, the European Union and other entities with enforcement responsibility are enforcing privacy laws more and more. An investigation may cost an organization significant counsel fees as well as lost productivity. If violations are found, monetary sanctions of $1 million or more are possible; plus the costs of changing your processes to meet regulators’ demands. Additionally, the likelihood of litigation such as class action suits, is high.

Ineffective Use of Data. If your data is open to manipulation, you run a risk of not having the optimal knowledge needed to run your organization effectively, or worse, dealing with corrupt and unreliable data. Good information security practices are both a safeguard and an indicator that an organization a) understands the depth of knowledge it possesses, b) values and protects its data as an inestimable asset and c) is using it to its greatest advantage.

During harder economic times there are more and more threats to security. Generally, preventive measures are far less costly, both financially and operationally, than re-engineering systems after a breach or other significant event has occurred.