Editor: In the past few years companies and other organizations have made headlines due to breaches in data privacy. What has caused this issue to come to the forefront?
Kirtley: Two primary factors predominate: the first is that the accelerating deployment of technology and the evolution of how these systems are used have dramatically increased the amount of information available in different places for all of us. As the reservoir of information grows, so too does the risk of a security compromise. Increasingly, firms and organizations find it difficult to successfully defend against fraudulent access and other privacy violations.
The second factor driving this issue are the laws and regulations requiring that impacted individuals be notified when their personal information is potentially compromised. The California Computer Security Breach Notification Act took effect on July 1, 2003, requiring businesses to notify any California resident whose personal information was compromised, or that is reasonably believed to have been compromised.
The defining moment in the public awareness of data breaches was the February 15, 2005 ChoicePoint announcement. ChoicePoint acknowledged having disclosed the personal information of 162,000 consumers to identity thieves that had established fraudulent accounts with ChoicePoint. ChoicePoint decided to notify all 162,000 people including those outside of California. This was the first large-scale notification of consumers on a national basis. The revelation in the media of prior breaches where people had not been notified generated a groundswell of support for the passage of more state security-breach legislation. In the 18 months following the ChoicePoint disclosure, 29 additional states passed laws mandating some form of notification in the event of a security breach.
Additionally, there has been the added dimension of international regulation that has impacted many U.S. firms. Both the EU and United Kingdom passed privacy legislation in 1998.
The net result has been an almost constant stream of disclosures of data breaches. As of September 2006, the Privacy Rights Clearinghouse had identified over 300 breaches involving the records of over 93 million people. The list of compromised databases includes those of prominent corporations, universities, public accounting firms, and various government entities.
Editor: Why has this been such a persistent issue? Surely firms are becoming more aware of their obligations and how to meet them.
Kirtley: While most firms and organizations have initiated programs to deal with these issues, in the near term privacy breaches will likely continue to escalate. Many firms are still wrestling with creating the infrastructure to address the needs for improving data security.
Firms can derive a competitive advantage from storing and using personal information, and consumers are increasingly willing to share more of their information in order to receive better service and more convenience. The positive side is that this information-gathering enables firms to more effectively offer the right products to their customers.
The downside is that, as these data collections grow, there is more data to lose and more holes to fill. This puts those who manage the information in the awkward position of having to make it as easily and readily available as possible, while at the same time ensuring its security.
Editor: What are some of the risks firms face if they don't adequately address data privacy compliance?
Kirtley: The most obvious problem for firms that have a security breach is the enormous negative publicity and the resulting damage to their reputations. Neglecting to protect information enables outsiders to infer something about a firm's management practices, and the message is not positive.
A data breach will likely lead to a loss of consumer confidence, and potentially a loss of suppliers. A survey conducted by the Ponemon Institute in 2005 found that 58% of customers have reduced trust and confidence in the firms that notified them of a security breach and that 20% of the customers terminated their relationships with a company after a breach. A data breach can result in a firm's inability to continue to operate.
For example, CardSystems Solutions was a company that processed in excess of $15 billion annually in credit-card transactions and handled Electronic Benefit Transfer transactions card payments used by government agencies to manage electronic payments of welfare programs like unemployment or food stamps. In June of 2005, the company disclosed that data from about 200,000 accounts had been stolen by hackers, and that over 40 million were potentially vulnerable. The breach was actually discovered by MasterCard, and resulted in both American Express and Visa suspending CardSystems from accepting and processing credit card transactions. Only a few months later, in December 2005, CardSystems ceased to exist.
Shareholders can also be seriously impacted. ChoicePoint, for example, saw its share price fall from over $46 to less than $38 in the weeks following its disclosure, a loss of more than $700 million in shareholder value.
The direct costs associated with a breach can range from annoying to staggering. The Computer Security Institute and FBI 2006 Computer Crime and Security Survey reported that the average loss from security breaches was just under $168,000. That average, however, masks a tremendous range, from virtually nothing to costs ranging in the millions.
Finally, there can be fines and sanctions for firms that experience a data breach. Not to pick on ChoicePoint, but in its case the company paid a civil fine of $10 million to the FTC and agreed to set up a $5 million fund administered by the FTC to pay compensation to anyone who was harmed by the breach. Notification is not the trigger here. Firms that have an issue but fail to notify consumers can also be penalized by the state or federal government, with fines in excess of $10 million.
While preventing data breaches can be expensive, not preventing them can be devastating.
Editor: How can firms deal with data privacy compliance issues in the short term?
Kirtley: In the January 2006 issue of The Metropolitan Corporate Counsel, three of my colleagues articulated how to address data privacy compliance from a strategic perspective. I'll summarize the steps, and outline how that translates into short term actions that can be taken.
1. Identify and Evaluate Corporate Risk. Focus on understanding the current risk and control environment, assessing both the external environment for requirements and business/customer demands, and the internal environment to understand what information the firm possesses and how it is maintained.
2. Set Policy. Policies need to be designed so that they cover the entire information life cycle, and address all of the specific legal and regulatory requirements that the firm is subject to. A clear policy needs to be spelled out to articulate how to deal with a breach, if one occurs, and how people will be notified.
3. Embed Policy . Once policy is set, the next step is to embed policy via education, communication, and the appropriate use of technology. Clearly, one of the most important things to stress with regard to data privacy is that the firm has a culture that acknowledges the critical importance of protecting personal information.
4. Monitor. The key here is the creation of a program that continually monitors both the actions of those who manage information and the infrastructure that contains the information.
5. Investigate. It is imperative that, as issues arise, there is a structured set of policies and procedures to deal with them. A clear escalation process and documentation of steps taken in the investigation process is imperative.
6. Report. Reporting is mandatory, critical and should cover actions taken to ensure data integrity and security, any issues identified in processes, systems or procedures, and any new initiatives undertaken to address or prevent issues from occurring in the future.
Editor: It would seem that much of what needs to happen is driven by the CIO. How can Legal help in maintaining data privacy?
Kirtley: Well, you are right about the role of IT. The day-to-day protection of information falls largely on the shoulders of the CIO. The preponderance of the data maintained by firms and other organizations resides in electronic databases, and securing those is clearly the responsibility of IT. Legal, however, plays a crucial role by working throughout the organization to define and enforce the policies that protect the organization in other ways.
For example, in the case of CardSystems, the contracts negotiated by the legal team required that all transaction data be encrypted and that no credit card verification numbers be maintained. CardSystems IT practices violated the contract on both of those counts, which made it far easier for hackers to obtain the credit card information needed for fraudulent charges. If legal had reviewed IT policies to ensure that the contractual obligations were being met, risk could have been reduced.
Compliance with the laws and regulations is also challenging because they vary considerably. For example, what comprises "personal information" varies, and can include things like birth date, and even a mother's maiden name or DNA profile. Another variation revolves around notification requirements. Some states require only that the affected individual be notified, while other states require notice to state regulators, the state attorney general, or even the state police.
Editor: You've spoken before about how firms can benefit from improved compliance programs. Specifically, how does improved data privacy compliance help companies improve the bottom line?
Kirtley: It makes their customers more willing to buy from them. Increasingly, consumers are banking and shopping online. A study released September 19, 2006 by Trend Micro showed that 82% of consumers regularly shop online and that 71% consistently bank on line. Those percentages have been going up every year, despite the fact that a third of consumers are worried about data theft and identity theft.
Firms that undertake aggressive data privacy protection initiatives and trumpet these programs have a competitive advantage over their peers.
It is difficult to put hard dollar numbers on the value of specific privacy initiatives. The way to think about these investments is that they are the price of entry for creating and maintaining sustainable long term relationships with your customers.
Editor: Any additional parting thoughts?
Kirtley: First, understand that the appropriate perspective is one of managing, not eliminating, risk. Having a program to secure data is vital, but having the steps in place to deal with a breach is just as important.
Second, make sure any program you put in place is sustainable. To create a sustainable data privacy program, measurement and monitoring is crucial. There is an old adage that you need to measure what is important - this is a vital concept to understand when implementing any compliance program.
Long term sustainability therefore is not only dependent upon creating and implementing a successful program and making the IT investments that secure the data - it is about encouraging the right behaviors and constantly renewing the program to make sure that it reflects the needs of the company and protects the privacy of those whose data you hold.
Published November 1, 2006.