Forget about compliance

David Lynch, Apani Networks

IT managers everywhere are trying to figure out what regulations they need to comply with, what they need to do in order to comply and how they are going to fund the activity.

All of these activities consume a great deal of time and energy, and can lead organisations to significant risk. David Lynch, vice president marketing at Apani Networks, takes a look at the important issues regarding compliance.

Regulations come from a variety of sources and focus on different issues:

  • Sarbanes-Oxley and its derivatives around the world focus on protecting the integrity of financial systems.
  • Health care regulations focus on protecting confidential health care information.
  • Data protection regulations protecting personal information held by corporations.

Boil this down and you have one common theme: Organisations are custodians of the data they collect... and need to protect it. When it comes to data protection there are two interacting marketing dynamics that affect the need to protect personal data:

  • the skyrocketing value of data that organisations collect;
  • the decreasing effectiveness of the perimeter as a means of protecting this data.

Understand the value of data

If history has taught us anything it's that when business is good, crime is also good. This is as true in the realm of e-business as anywhere else. As the reach and power of ecommerce grows so does e-crime.

Identity theft has become the fastest growing crime throughout the world and a substantially lucrative black market has developed for identity information.

Mid-2005 The New York Times identified two websites (www.carderportal.org and http://iaaca.com) as worldwide online marketplaces for personal information where anonymous buyers and sellers came together to deal in stolen information. These sites have closed, and have been replaced by others. The effect of these sites has been to establish a market value for personal information, which today runs from $4 to $100 a record depending on the content.

The perimeter is declining

Up until now the primary basis for almost all security strategies has been to establish a strong perimeter dividing the network into 'trusted' and 'untrusted' environments, where security is focused on establishing the perimeter, controlling access to the trusted side and securing data as it flows outside the perimeter.

For a variety of reasons, both technical and social, the perimeter defence strategy is losing its effectiveness: a process known as deperimeterization. This is putting the confidential data contained within the perimeter at risk and exposing the organisation to a greater liability than compliance.

Liability associated with a data breach

There are a number of impacts to a business that result from a data breach and any one of these makes the penalties associated with non-compliance fade into insignificance.

The impact of cleanup

This can include executive time explaining the breach to the public and the media (in the case of CardSystems Solutions this involved having to respond to a US congressional hearing), as well as direct out-of-pocket expenses - for example in the case of the recent Atlantis Hotel data breach, where one year free credit monitoring was provided to the 50,000 affected customers. This service can cost anywhere from $120–150 a year per client; even with volume discounts this translates into significant money.

An organisation that has experienced a data breach will also see increased activity associated with hackers and other cyber criminals. For example the number of 'exploratory pings' - used to test network defences and discover potential weaknesses - experienced by ChoicePoint jumped from 100,000 to 2,000,000 in the 24 hours following the announcement. ChoicePoint suddenly became a target, and the IT department suddenly became very busy.

The impact to the customer

This can be the most significant of all. In the last quarter of 2005 EDS sponsored a survey of online banking customers asking the hypothetical question: 'What would you do if notified by your bank that your information had been involved in a breach?'

  • 50% of the respondents said that they would close some accounts with the bank.
  • Fully 30% per cent indicated that they would close all accounts and change banks.

These results were later validated in a survey by a Ponemon Institute (October 2005), who first identified 1,100 consumers who had been involved in a data breach, and asked them what they actually did in response to the notification:

  • 92% blamed the organisation where the breach occurred.
  • 20% abandoned the firm involved and took their business elsewhere.
  • An additional 40% were considering doing so.

There are few organisations that could survive a 20-60 per cent loss of their customer base. This is something that CardSystems Solutions Inc. found out after the theft of up to 40 million credit card numbers in early 2005. They lost a significant portion of their customer base and were later acquired by one of their competitors.

With such a high number (92 per cent) blaming the organization who 'allowed' the breach to occur, even if the customers do not leave right away, you can be certain that there will be a long-lasting effect on customer loyalty.

The impact on capital

This can also be significant. Markets have long recognised this customer liability and react strenuously to news of a data breach. For example ChoicePoint, who announced the theft of 145,000 records in February 2005, saw its stock drop from $48 a share the day before the announcement to $39 after the announcement - a loss of $300 million in market valuation in 24 hours.

In June 2005 the Wall Street Journal looked at the impact of a data breach on the stock price. They identified 14 organisations in the US who had suffered a data breach in the first half of the year and tracked their stock performance following the incident.

The study identified that:

  • Stock price fell from 1% to 3.3% in the 24 hours following the breach disclosure.
  • Over the next seven days the price continued to fall an additional 5% to 14%.
  • Only 5 out of the 14 (approx 30%) recovered from the loss over the period of study.

The potential harm to an organisation from a data breach far outweighs the impact of non-compliance. Yet both relate to exactly the same thing: data protection.

Regulations can encourage an organisation to focus on securing a single aspect of the data it collects, leaving the rest at risk. Focusing on protecting your data, wherever it may be, will, by default, ensure that you are in compliance and dramatically lower the overall business risk.

Being in compliance with regulations will not help should you suffer a data breach. Forget about the compliance issue. It's just good business sense to protect your data and in doing so you will be in compliance to whatever regulations are out there.