Our guest blogger this week is Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute.

Our latest study, Aftermath of a Data Breach Study, was conducted to better understand how a data breach affects organizations over the long term. In this study, IT professionals weigh in on how their organizations dealt with a data breach that had both serious financial and reputational consequences. While we asked respondents to focus on just one breach, 85 percent say that their organizations had more than one breach involving customer/consumer data in the past 24 months. It is interesting to note that in many cases it took a serious data breach to make privacy and data protection a greater priority and allocate additional resources to the IT security function.

While many respondents were unable to determine the root cause of the data breach, there is a consensus among respondents that insider negligence is making their organizations vulnerable to a data breach. As a result, organizations are investing in training and awareness and technologies that minimize the human factor risk.

The findings also show the concern organizations have about losing the loyalty of their customers. Of the IT practitioners surveyed, few felt that prompt notification to victims was enough to reduce the negative consequences of the data breach. This suggests that compliance with data breach notifications laws in and of itself is not sufficient if an organization is concerned about customer loyalty and reputation. Other lessons learned from the data breach are to limit the amount of personal data collected, limit sharing with third parties and limit the amount of personal data stored. We invite you to read the full report here.

It was only a matter of time before a flood of class action lawsuits began to wash over breached companies. In general, these suits allege that a company: 1) did not adequately protect the sensitive data entrusted to it and 2) did not notify consumers of the breach in a timely enough manner. In 2011, after one of the biggest breaches of the year went public, it took just one day for the first class action lawsuit to be lodged.

The avalanche of recent breaches has been worrisome for consumers, causing lawyers, as well as lawmakers, to take note. Moving into 2012, businesses will want to carefully watch the changing landscape of litigation and legislation.
Two recently submitted bills would require companies to inform affected customers, the Federal Trade Commission and law authorities of a data loss within 48 hours of completing a breach assessment.

No matter the outcome of these bills, companies that delay making their breaches public will continue to face the consequences. In 2011, a large financial institution found itself in hot water after waiting weeks to notify customers of a breach. The controversial delay prompted a leading industry group representing the country’s largest financial institutions to testify before congress. The testimony suggested that banks should immediately notify federal officials and affected customers of a breach.

While the outcome of recent litigation remains to be seen, many lawyers expect these suits to inevitably increase in size – and rewards. To date, Internet privacy-related lawsuits have yet to yield the hefty settlements of securities fraud cases. Still, with the escalating breadth of data breaches, higher profile law firms, ones known for mounting successful security fraud litigation on behalf of shareholders, are getting involved.

The challenge for plaintiffs’ lawyers in security breach cases is not in proving liability but establishing damages. Judges must determine whether the compromise of personal data represents a loss of value or if there should be additional proof of tangible harm.

With the recent spate of data breaches and accompanying class action lawsuits, businesses have constant reminders that an ounce of prevention is worth a pound of cure. The best way to protect your business against the high costs of data breaches is to ensure your security practices and fraud resolution plans are strongly built to ward off malicious attacks and the complications that follow.

The onslaught of significant data breaches in the past year has once again spurred legislators to push for national data breach notification legislation.  Such a cohesive law would replace the jigsaw puzzle of state legislation that has followed in the wake of California’s security breach notification law, or S.B. 1386, which was designed to ensure that companies alert customers when they are at risk for identity theft. 

But less agreed upon in the rush to protect the public is the question of what qualifies as “risk” to consumers, and exactly when organizations should be mandated to reveal breaches.

Legislation that has been introduced includes the Personal Data Privacy and Security Act, sponsored by Sen. Patrick Leahy, requiring companies to disclose cyber attacks that jeopardize consumers’ personal information and making it a crime to conceal such a breach.  The bill would also mandate organizations that possess personal information to put in place “reasonable” security procedures to keep that data secure.

Other bills that have been introduced include the Secure and Fortify Electronic Data Act, sponsored by Rep. Mary Bono Mack, which requires notification to the FTC and consumers within 48 hours of the time that a breach has been secured and scope of the breach assessed, at risk of penalties levied by the FTC.

But amidst a growing consensus that a national data breach notification law will make compliance stricter and less cumbersome for businesses while helping to protect consumers, there is concern that the bills afoot pose a danger of over-reporting data breaches, which can be as serious as that of under-reporting. 

The Business Software Alliance, for example, believes that over-reporting of data breaches may lead consumers to ignore notifications, leading to the possibility that they won’t make arrangements to protect themselves from the risk of identity and financial theft.  The Alliance argues that Washington should adopt a higher threshold for data breach disclosure than the threat of “reasonable risk” to consumers; instead, the bar for notification should be that of “significant risk.”  Anything less than this will require companies to notify customers when a threat might be posed, which will add to the problem of breach notification fatigue that has some consumers tuning out warnings after they have actually been exposed to a real threat.

Until further breach notification laws have been sorted out at the state and federal level, for now it’s best to keep best practices about breach notification in mind as your company steels itself from the dangers of cyberspace and strikes the most responsible reporting balance.

It seems as though every day the news headlines trumpet another high-profile data breach.  The most recent marquee breach is courtesy of a Sony PlayStation Network hacker, whose attack on the Sony and Qriocity servers between April 17th and 19th have compromised the personal data and, possibly, stored credit card information of 77 million players.  (Yes, you read that right; 77 million.)  Combine that with other recent cyber-heists affecting millions of unsuspecting consumers or residents, and many organizations have been forced to send out a dizzying array of email notifications to their customer base, many – if not all – of whom are now vulnerable to spear-phishing attacks.

With numerous different breaches affecting so many people as of late, millions of consumers are receiving emails from trusted brands noting that customer emails (and perhaps other information) have been compromised, so consumers should be wary of future emails that may appear to be sent from them…like the one they’re reading now.

Got that?

This begs the question of whether customers are starting to tune out to the onslaught of breach alerts flooding their email in-boxes.

Some security gurus believe that notifications aren’t effective and customers become numb to these alerts.  Others are convinced that breach information overload is a good thing, educating people to the dangers lurking in the cybershadows and their vulnerability to identity thieves.  After all, how do you know to watch out for email “bait” if you’re not aware there’s a phishing hook with your name on it?

Furthermore, the flip side of over-notification is under-notification.  This is something that Sony is now being accused of in a lawsuit that claims the company waited too long to notify its PlayStation customers of the recent breach, which only exacerbated customer vulnerability to credit card fraud.

The irony is that while the dramatic breaches of late have been stealing headlines (as well as data), a 2011 Data Breaches Investigations Report by Verizon indicates that total thefts from data breaches have in fact declined significantly over the past few years.  The total number of records actually compromised from these breaches was a “mere” 4 million in 2010, quite a drop from the 144 million records compromised in 2009, and the 361 million compromised records in 2008.  The bad news?  If you look at actual data breaches versus compromised records, the numbers this year are up; 760 breaches last year, an increase from 141 in 2009.

The bottom line: while fraudsters haven’t been able to recently score as much cyber-loot as in times past, this is no time to relax.  Just be aware that with the steep increase in breaches comes an equally steep increase in breach notifications, and the associated risk that breach notification fatigue will put your customers to sleep.