The CCO’s Dirty Little Secret
A look at the true cost of compliance failures and how to avoid being buried in trouble.
By Bob Janacek
Millions of dollars in fines are levied by the Federal Trade Commission (FTC) and the Department of Health and Human Services (HHS) for privacy and security violations. A reasonable person would think enterprises take notice of such actions and work hard to ensure this won’t happen to their organizations. Yet, many businesses are run as if they operate in their own utopia, free from privacy concerns, invisible to regulator controls, and immune to customer backlash.
Whether through calculated risk or indifference to the law, the fact is, many chief compliance officers (CCOs) have a dirty little secret. Unfortunately, what they might consider a minor, calculated risk can bury an enterprise in a mound of trouble.
That secret lies within the calculations organizations make to compare the cost of compliance against the estimated cost of an actual data breach. In a number of cases, CCOs conclude the price of achieving compliance is greater than the expense of a breach, so they roll the dice, attempting to save money by forgoing serious compliance efforts. The CCOs think they’ll simply absorb the cost of a data breach if and when one happens. Maybe they’ll buy some cyber insurance to defray the cost in that “unlikely” event.
The truth is, many enterprises have not conducted risk analyses and don’t have an incident response plan, making it impossible to accurately estimate costs. As more organizations wade through the aftermath of a recent explosion in data breaches -- 2011 saw the second-highest data loss total ever recorded, according to Verizon’s 2012 Data Breach Investigations Report -- a more accurate picture of the true cost is emerging, one that goes far beyond the fines reported in the evening news.
When comparing the cost of implementing a compliance strategy to the impact of a breach, enterprises often go down a path that fails to calculate the true risk. They assume that a specific compliance regulation is associated with a category of breach, and that the total cost will solely be the penalty specified by that regulation. The problem is, there are many other factors which can, and likely will, add to costs:
- Multiple privacy regulations may be violated by a breach, resulting in multiple fines
- Fines may be issued by several regulating agencies, including those at the federal, state and industry level -- again, resulting in multiple fines
- Users affected by a breach can sue an enterprise on an individual basis or join a class action lawsuit against the organization
- Responding to a compliance breach usually requires significant interaction with legal professionals, resulting in substantial legal fees
- Significant expenses for breach investigation and remediation services are often incurred
- Direct loss of revenue occurs while breached systems are taken offline, remediated and returned to service
- Loss of an organization’s reputation and brand value results in lost customers and decreased future revenue potential
Consider how total costs quickly escalated in the recent compromise of a million patients’ protected information at a major health-care insurance company. Read past the headline-grabbing $1.5 million fine handed down by the Office for Civil Rights and you’ll see that the insurer also incurred the enormous costs of the investigation, notification, legal fees, new prevention efforts, as well as a severely tarnished reputation. Add that all up and the true cost of the incident came to about $17 million. That dwarfs the roughly $1 million typically covered by cyber insurance and -- you guessed it -- the cost of guarding against a data breach to begin with.
Besides the direct costs associated with mitigating a data breach, loss of brand equity and subsequent disruption to a business can be significant. This was clear in last year’s data breach that compromised Sony’s Playstation Network. It’s estimated that the incident cost Sony over $20 million in lost subscriber revenue while the system was taken offline. In addition, since proper security techniques were not used to protect the sensitive information for over 70 million subscribers, Sony suffered significant damage to its brand equity and future revenue potential.
Still, standard operating procedure in many companies is that when business conflicts with security, business wins. This is dangerously flawed logic.
To illustrate this point, consider the case of a global enterprise that installed a data leak prevention system to scan the outbound e-mail of their 100,000 employees. Much to their surprise they learned that, on average, more than 1,000 e-mail messages per day containing credit card numbers were being transmitted in the clear across the public Internet. While they knew about these transmissions for three years, no corrective action was taken. Why? According to their CCO, those e-mail messages represented too much revenue to the company to stop them. Jobs would be at risk if a system was implemented that disrupted those workflows.
The perceptions that compliance is too costly to implement, and that it is disruptive to workflows, are two primary reasons that enterprises cite for maintaining the status quo. There was a time when these perceptions were not entirely without merit, and in the past, many organizations took a point-solution approach to address such specific aspects of data compliance. Some still do.
However, in reality, this ends up raising costs and complexity.
For example, just in the area of data delivery, an enterprise might choose one solution for encrypting their outbound e-mail. They may implement another to allow users to send large files securely from their desktop to external users. Particularly in larger organizations, a third type of compliance solution could be used to allow systems to securely exchange files, typically on a scheduled basis, with external partners. Each of these solutions would be selected and implemented as a dedicated project, designed to protect a specific type of data for a specific workflow, deployed on independent servers. Naturally, additional servers would be required to ensure high availability and effective disaster recovery.
Using multiple servers means expensive hardware and support costs. In addition, such point products have not been designed to work together. They lack agility to adjust to evolving business processes, and they increase complexity for the IT staff that has to support them, as well as the employees, customers, and partners that use them. As a result, they are costly to implement and maintain, and provide an inconsistent approach to compliance.
Fortunately, as technology has evolved, a new class of compliance solution has emerged that protects data and overcomes the shortcomings of a legacy point product approach. Some of these solutions are even delivered from the cloud, allowing an organization to receive the latest compliance capabilities without constantly updating internal systems.
Especially for cloud-based solutions, the need for IT resources can be minimized, and costly outlay for new servers and data center space eliminated. For example, in the case of compliance for data delivery, it is now possible for a centralized system -- either in the cloud, on premise, or as a hybrid -- to securely deliver multiple types of data. This can be e-mail leaving the organizations mail server, large files sent by employees from their desktops, or automated file exchanges sent by systems.
The benefit for compliance is greater visibility with a consistent set of security, audit trail and delivery tracking, independent of the type of data or where it was sent from in the organization. Hardware costs are dramatically reduced, and the complexity of managing numerous point systems, the stuff of IT and security nightmares, becomes a thing of the past.
As a result, enterprises can do more business, more rapidly, and at a significant cost advantage. For the COO, it means a newfound level of compliance that eliminates the need for dirty little secrets and the worry of burying their companies in trouble.
Bob Janacek is the CTO and founder of DataMotion, a cloud-based data delivery services provider. The company’s core DataMotion Platform provides a secure data delivery hub. DataMotion’s solutions for secure e-mail, file transfer, forms processing, and customer contact leverage the Platform for unified data delivery. You can contact the author at Bob.Janacek@datamotion.com.