Wednesday, 9 September 2009

What’s in a number?

Today, the Ponemon Institute revealed that 67 percent of French organizations have been hit by a data breach incident over the past year, with 18 percent having more than five incidents. If this seems high, it is with reason. According to Ponemon, only 8 percent of these breaches were reported, so we never heard about the other 92 percent because there was no legal or regulatory mandate for reporting them.

The issue of reporting and disclosure is hotly contested, oftentimes pitting the rights of individuals against corporations that want to distance themselves from the bad publicity and associated liabilities. The United States, which has seen some of the largest data breaches in history, still does not have a single standard for data breach reporting or regulatory data protection requirements.

We can’t expect companies to willingly disclose data breach information – the consequences are too severe, even though the full disclosure will work to their benefit over time. What needs to happen is the same focus on transparency that is being heralded in the financial services industry should be applied to data breaches, with the primary goals being catching those responsible and informing those affected as soon as possible. This transparency will come, at the very least because certain industries will require it. In the meantime, we take solace in the 71 percent of the Ponemon respondents in France, who placed data protection as a critical component to their overall protection plan. These companies are not completely overlooking data protection but they are playing catch up (as are most companies these days) to very sophisticated hackers.

French cuisine may be famous for rich sauces. It is clear from this report that they are a rich data source too!