Just glancing at 2012 data breach statistics is enough to make governance, risk and compliance officials cringe: There were 1,478 data breaches reported worldwide last year -- 35% more than in 2011, according to an Online Trust Alliance analysis.
But there's something of a bright side to these stats: Almost all the incidents could have been avoided by implementing such simple steps as following data security and privacy best practices and internal controls, according to the OTA.
When you think about data governance, data collection and data protection, it's really everyone's job within an organization.
executive director and president, Online Trust Alliance
"We are, more and more, becoming a data-driven economy," said OTA Executive Director and President Craig Spiezle. "As we think about the increase in data-location data and various data types, it creates a tremendous opportunity for business. But it also creates a tremendous opportunity for businesses to lose data that is extremely personal."
To raise data security and privacy awareness, the nonprofit OTA released its 2013 Data Protection & Breach Readiness Guide in recognition of Data Privacy Day earlier this week. The OTA also has held a series of town hall meetings across the country to promote data security and privacy best practices.
Data protection concerns don't end with the increased number of data security breaches and cybercrime incidents, either. The increased popularity of geolocation applications, as well as the use of complex data analytics and data appending, have led to regulatory concerns regarding the use, control and sharing of personally identifiable information.
The increased use of mobile devices and accompanying bring-your-own-device programs also contribute to data security and privacy concerns. Mobile devices generate information that includes unique identifiers and location data, while users are mostly unaware of what data is being collected, how it is being used and who has access to it. As a result, data incidents and identity theft are increasingly occurring through accidental device loss and cybercrime.
"We're seeing a lot of issues that are caused by the low-hanging fruit, the simple things that just don't get done," said Aaron Weller, managing director of data protection and privacy practice at PricewaterhouseCoopers Inc., one of the sponsors of the OTA's town hall meetings. "You see people every day using unencrypted USB keys and losing thousands of records. It's not always the hard stuff that hurts you. Oftentimes, it's the simple stuff."
The benefits of data security and privacy
All companies, regardless of size or business sector, can benefit from implementing data privacy programs, a data protection strategy and data-loss incident readiness plans, according to the OTA. Some of the steps -- and their accompanying benefits -- include:
- Mitigating compliance risk by encrypting all data and placing credit card information into a separate database.
- Creating a well-integrated plan with all departments involved, including legal, information security, client services, IT, public relations, marketing, operations and investor relations.
- Depending on the type of data involved and the jurisdiction of state attorneys general, provide customers with a timely notification and offer consumers reasonable protective measures to help them protect themselves.
The OTA advises that broad sets of operational and technical best practices help protect a company and its customers' personal data. By developing a data lifecycle plan, organizations can respond with immediacy and consistency, Spiezle said. "It's important for businesses to take a data stewardship position on the data they collect, and to make sure they have plans in place," he said. "By adhering to best practices that are attempting to prevent, mediate and respond to threats, I think we all benefit."
More on data security and privacy
As consumerization gains popularity, mobile security remains a top priority
Information governance best practices to avoid breaches
The OTA suggests organizations thoroughly evaluate data from its acquisition through its use, storage and destruction. It's important to balance any data-related regulatory requirements with business needs and consumer expectations, according to the alliance.
Ignoring data security and privacy can be very costly to business: The average cost of a data breach to businesses is $5.5 million, according to the OTA report. Businesses often make data security and privacy more tenuous by rendering it strictly an IT problem, Spiezle said. "I think if we think of it as an IT issue, we set ourselves up for failure," he said. "When you think about data governance, data collection and data protection, it's really everyone's job within an organization."
Simple steps -- such as properly training employees on how to handle the data and why some information requires more attention than other information -- are simple, vendor-neutral processes that organizations can easily implement, Spiezle said. In 2012, 26% of reported breaches stemmed from internal employee misconduct or accidental disclosures -- and more are expected in 2013.
"That's where there is some opportunity for organizations to think about what the real risks are, and what controls should be put in place," PriceWaterhouseCoopers' Weller said about employee-level data security and privacy controls. "It's not always about spending a lot of money to address some of these issues."