Let’s start with a statement of the obvious. Many businesses store a large amount of data that’s of little use to anyone else. It may be historical records or just general information about the business and how it runs. No one would consider this sensitive and any loss would not affect anyone. But there are always elements of data that should be kept confidential and, to encourage you to take great care, there are a raft of laws and regulations intended to punish you if any of this data is lost in a security breach.
Let’s start at an international level. If your business stores, transmits or processes the payment card numbers issued by American Express, Diners Club, MasterCard, Visa, and so on, you should comply with the security standards outlined in the Payment Card Industry Data Security Standard (PCI DSS). This internationally accepted standard is directly applicable to your business and there are hefty penalties if you fail to keep cardholder details secure. As an aside, if you’re thinking you don’t need to take any notice of these international standards, try telling that to MasterCard and Visa the next time you lose some of their card numbers. Coming down to the federal and state levels, more than forty states have put laws in place to tell you what to do if you lose sensitive data. Some states require you to keep data encrypted when in static memory. Needless to say, there are penalties for failure to comply and data loss opens you to civil suits from anyone whose privacy has been affected by your breach of regulations.
There are two different reactions needed. The first is to deal with the software security of your IT infrastructure. A refusal to spend money on evaluating and, if necessary, upgrading your systems will not endear you to enforcement officers should there be a subsequent breach. It’s a false economy to believe you’re not at risk. In any event, there are some reasonably cheap solutions for PCIDSS compliance like Card Recon and Enterprise Recon available from Ground Labs. For compliance with US laws, you should look for data loss insurance to cover the usual incidental costs. A recent survey found the average cost of security breaches was about $7 million, regardless of the size of the business.
The best business insurances policies cover the cost of responding to the data loss. This covers the forensic team to analyze how the data was lost and then to construct patches to ensure you cannot lose data in the same way again, and deals with your legal responsibilities. All the laws require you to notify the people affected by the data loss. This can provoke the need for a crisis management firm to protect your reputation and, as the news spreads, deal with the defense costs of dealing with the civil claims. There can also be continuing costs because courts can order you pay for credit monitoring everyone whose data was lost. That way, you can pick up and deal with identity thefts as they occur.