2. We’re in the midst of a crisis in privacy and data security . Billions of
passwords stolen. . . Mammoth data breaches. . . Increasing threats.
. . Malicious hackers . . . Damaging privacy violations. . . The
numbers keep rising. How should organizations be responding?
PREVENTING PRIVACY AND SECURITY DISASTERS
www.teachprivacy.com
Second, significant attention must be given to addressing human behavior, which is the biggest data security risk.
The best way to address human behavior is through effective training.
A study by Forrester that reveals that internal threats are the “leading cause” of data breaches.1 90% of malware
requires a human interaction to infect.2 95% of data security incidents involve human error. 3 Because so many
employees don't receive sufficient training, they engage in all sorts of risky data security practices.
The recipe can be summed up in a simple rhyme:
The C-Suite must care
The workforce must be aware
After reviewing countless data breaches, I’ve come to the
conclusion that there are two things that can most help
prevent data breaches.
First, upper management (often called “the C-Suite”)
must truly understand the risks, the law, and the
importance of good data security and privacy.
3. Strong data protection comes from both the top and the
bottom.
From the top, upper management understands the risks
and provides the appropriate resources.
From the bottom, all employees at every level know
how to do their part to ensure strong data protection.
Much more work needs to be done at both the top and
the bottom. At the top, the C-Suite needs a better
understanding of the risks and the law. And much more
can be done to improve workforce awareness.
www.teachprivacy.com
Data Protection Must Be Part of an Organization’s Culture
Ultimately, these two things are really about one thing: Data protection must be part of the culture of an
organization. Data protection must be felt in the bones of an organization. I say “data protection” because the
term encompasses both security and privacy. Both are essential and go hand-in-hand.
From the Top and the Bottom
PREVENTING PRIVACY AND SECURITY DISASTERS
4. After an incident, the lawsuits will start coming. Win or lose, these
cases can cost millions to litigate. One study found that the average
settlement award in these cases was approximately $2,500 per plaintiff,
with mean attorneys’ fees reaching $1.2 million.5
Under HIPAA, big fines are being issued. Fines can be up to $1.5 million
per provision of HIPAA violated. When there’s a breach, HHS’s
investigation often turns up quite a number of HIPAA violations, and
the fines for these add up. State Attorneys General can enforce HIPAA
as well as their own state’s law. There are big state fines. The FCC has
been stepping up enforcement and issuing big fines.
Although the FTC can only issue fines for some of the laws it enforces,
its consent decrees last 20 years and require ongoing auditing and
reporting to the FCT – and that can be very expensive! The FTC can
issue fines when consent decrees are violated.
www.teachprivacy.com
The Need for More Attention to the Risks and Costs
According to a recent survey, at most organizations, only a very small percent of the IT budget goes to data security.
19% spent less than 1% .4 These facts indicate the C-Suite needs to pay a lot more attention to data security
officials. Indeed, I think that the C-Suite needs to pay more attention to privacy officials too, because privacy and
security go hand-in-hand.
There are three big costs of an incident that the C-Suite often fails to appreciate: money, time, and reputation.
MONEY
PREVENTING PRIVACY AND SECURITY DISASTERS
5. Reputation
www.teachprivacy.com
Time
Incidents are not just solved by writing a check. They take time and sweat. These things are tremendously costly
not just in terms of money but also in terms of time.
A significant number of important personnel will be tied up dealing with these issues. And even the C-Suite might
be tied up too, as they need to deal with the PR fallout and might need to address the matter themselves.
TIME
REPUTATION
PREVENTING PRIVACY AND SECURITY DISASTERS
Privacy and data security incidents can tarnish an organization’s
reputation. Even if the general public isn't paying attention, an
entity’s reputation can suffer with other organizations, which
might not share personal data with that entity. And all the
regulators will now be paying more attention – the various
federal agencies, state AGs, state agencies, international
regulators, and so on. Just like having a prior criminal record
won't help future encounters with the police, the same is true
with having a regulatory violation rap sheet.
Soiled
Reputation
6. A recent study found that more than 90% of data breaches could have been avoided.6
There’s a story I see replayed again and again. An organization doesn't take security (or privacy) risks seriously
enough. The organization gets burned, and that is the wake up call. The organization then gets serious.
There are those who must burn before they learn and those who learn rather than burn. For some, despite all
warnings, they just won't step it up until after they get burned.
The costs of getting burned are enormous. The cost of preventative measures are minimal in comparison.
www.teachprivacy.com
1. Grant Hatchimonji, Biggest Data Security Threats Come from Inside, Report Says, PC World (Oct. 13, 2013)
http://www.pcworld.com/article/2054462/biggest-data-security-threats-come-from-inside-report-says.html
2. Ponemon Institute, 2013 Cost of Data Breach Study: Global Analysis,
https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-Cost-of-a-Data-Breach-
Report_daiNA_cta72382.pdf
3. Marcos Colón, "Human Error" Contributes to Nearly all Cyber Incidents, Study Finds, SC Magazine (June 16, 2014)
http://www.scmagazine.com/human-error-contributes-to-nearly-all-cyber-incidents-study-finds/article/356015/
4. 6th Annual HIMSS Security Survey (Feb.19, 2014 ) http://himss.files.cms-plus.com/2013_HIMSS_Security_Survey.pdf
5. Sasha Romanosky, David A. Hoffman, and Alessandro Acquisti, Empirical Analysis of Data Breach Litigation, 11 Journal of
Empirical Legal Studies 74 (2014), http://ssrn.com/abstract=1986461
6. Online Trust Alliance, 2015 Data Breach and Readiness Guide (Feb. 13, 2015),
https://otalliance.org/system/files/files/resource/documents/dpd_2015_guide.pdf
PREVENTING PRIVACY AND SECURITY DISASTERS
Burn Before You Learn or Learn Rather than Burn
Sources
7. About the Author
TeachPrivacy was founded by Professor Daniel J. Solove. He is
deeply involved in the creation of all training programs because he
believes that training works best when made by subject-matter
experts and by people with extensive teaching experience.
According to Professor Solove: "Great training isn’t about slickness
or tricks. It is about teaching. The goal is to make people
understand, care, and remember. Great training must made with
genuine passion. "
TeachPrivacy provides privacy awareness training, information
security awareness training, phishing training, HIPAA training,
FERPA training, PCI training, as well as training on many other
privacy and security topics.
In addition to creating enterprise-wide training, TeachPrivacy has
teamed up with the American Health Information Management
Association (AHIMA) to produce a series of more advanced
courses on the HIPAA Privacy and Security Rules:
http://www.ahima.org/education/onlineed/Programs/hipaa
Professor Daniel J. Solove is the John Marshall Harlan Research Professor of Law at the
George Washington University Law School. One of the world’s leading experts in
privacy law, Solove has taught privacy and security law for 15 years, has published 10
books and more than 50 articles, including the leading textbook on privacy law and a
short guidebook on the subject. His LinkedIn blog has more than 890,000 followers:
http://www.linkedin.com/today/post/articles/2259773
Professor Solove organizes many events per year, including the new
Privacy + Security Forum, Oct. 21-23, 2015 in Washington, DC:
http://privacyandsecurityforum.com
About TeachPrivacy
www.teachprivacy.com