Electronic information privacy will eventually be one of the criteria on your job performance review. In fact, it’s not just electronic data that you should be concerned about, but all data. If you are an employee or executive at a corporation, association, university or small business, you must realize that protecting organizational data is vital not only to your company’s profitability, but to your job security. If it isn’t right now, it will be soon.
As a company employee or business leader, it is essential that you clearly understand the relationship between identity theft, data breach and your bottom line. One of the costliest data security mistakes I see executives make is that they initially approach data privacy from the perspective of the company. They don’t recognize the following reality: All privacy is personal. It’s not electronic information privacy. It’s not physical data privacy. It’s personal.
In other words, many people in your organization won’t care about data security, privacy policies, intellectual property protection or data breach until they understand what it has to do with them. If employees and executives don’t care about protecting their own identities (to prevent identity theft), how can you expect them to care about protecting corporate identity (to prevent data breach)? Like the emergency oxygen masks on a de-pressurized airplane, you’d better put your own on first or you’ll be worthless to those around you. Protecting yourself first isn’t self-centered; it’s effective and educational. Information Privacy Training begins at the human level and expands outwards to the group level. And it is not technical by nature.
This foundation of belief, despite and possibly contrary to the onslaught of information privacy acts, is clearly lacking among C-Level corporate executives. Look at the key findings of the Ponemon Institute/Ounce Labs study, Business Case for Data Protection, which surveyed C-Level executives about information privacy inside of their corporations (emphasis mine):
• 82% of the C-Level executives surveyed said that their organizations had experienced a data breach and many of them are positive they cannot prevent a repeat performance
• 53% of the CEOs surveyed said that the CIO is responsible for data protection, yet only 24% of the other C-Levels would point to the CIO as the one responsible for data protection overall
• 85% of those who are said to be in charge of data protection don’t believe that a failure to stop a data breach would impact their job
In other words, C-level executives know that a breach has already happened, are fairly certain it will happen again, know that they are unprepared to stop a recurrence, and yet they can’t clearly identify who will be held responsible, nor do they feel that they will be held accountable when the inevitable happens. At this stage, building a Culture of Privacy is mostly bluster, as is electronic information privacy.
According to Ponemon, the average organizational cost of one data breach to a company was almost $6.7 million in 2008. The negative effects on our bottom lines is what will give this topic traction, not any one privacy information act. The question is, how many data breaches can one company sustain, and how many does it take to get them to respond? Information privacy, electronic and otherwise, is vital to your company and in turn, your job security.
My next post will discuss some of the steps to take to make sure your company isn’t one of the victims in 2010.
John Sileo became America’s leading Information Privacy and Identity Theft Speaker after he lost his business and more than $300,000 to identity theft and data breach. His clients include the Department of Defense, Pfizer and the FDIC. To further bulletproof yourself and your business, contact John directly on 800.258.8076.