The danger of not having a breach policy in place

December 1, 2010 by ofonseca

A recent study by Trend Micro indicates data loss is a growing concern for small businesses. The 2010 Corporate End User Study found that close to 60% of business respondents feared that data loss would be the result of data-stealing malware or by intentional or unintentional data leaks outside the company network.  Even though data loss is a big concern, a majority of the surveyed small businesses indicated that they did not have data loss policies or loss prevention education in place.

The lack of data loss policy creates risk for both the small business and the customer.  As I mentioned earlier, a breach may result in reduced customer trust, lost revenue and substantial costs associated with resolving the crisis.  If a small business has limited cash flows, addressing a breach may be what drives the business to close.

Additionally, new data security and notification legislation has been introduced to Congress. The legislation proposes that all businesses that handle personally identifiable information (PII) be required to implement security policies and procedures to protect this information and provide notice in the event of a data breach.  Businesses that do not comply would face substantial penalties.

Recent news indicates the government’s current interest to levy fines against companies that do not follow current law.  The Indiana attorney general’s office is suing health insurer WellPoint for waiting several months before notifying customers of a data breach.

The best approach to avoid violating these new laws is to be proactive. Get a data breach resolution plan in place…before a breach occurs.