Data Breaches Up in 2010
A data breach is painful for everyone, with the exception of the thief. The bad publicity, cost of notification, cost of internal and external audits, not to mention the loss to the person whose data is breached is enormous. Yet most companies are still loathe to spend enough to protect their data. The results are in for the first part of 2010 and they are grim. The Identity Theft Resource Center (“ITRC”), reported that the total number of reported data breaches for the first four months of 2010 is 245, compared to 498 total breaches reported for the entire year in 2009.
The foundation for a sound privacy and information security program is documented polcies and procedures which are the business rules by which you run your business. These policies and procedures inform and educate company staff on how to handle and protect data in any format. In any audit the first target is going to be policies and procedures. Are they documented, have the staff been properly trained, is there ongoing education and training, and finally do the staff actually follow the policies and procedures in their daily activities? Having an outdated policy and procedure manual sitting on the shelf will not suffice.
A company we have worked with sent out paper manuals to their clients and then followed up with updates to be posted to the manuals. In theory a good system, however an unannounced on-site visit frequently revealed the manual in it's original shipping materials, with the updates neatly stacked on top. In the industry we refer to this as "credenza-ware".
What has proved effective is an on-line interactive policy and procedure manual with oversight provided by an outside "Helper" who is rewarded based on the level of compliance of their client. Supplemented by monthly updates and task lists this provides quidance and performance metrics.
In the 21st century the cost of getting compliant, staying compliant, and proving compliance is much less expensive and easier than in the past. Make this small investment and save you and your clients a lot of grief.