Privacy Advisor

Notes from the Executive Director

June 1, 2007

Prepare Now or Pay Later
In May, the list of security breaches continued to grow with new entries for lost and stolen laptops and tapes containing sensitive data. We also learned new details of the financial damage facing TJX Cos., a price tag that already has cost the company $25 million, with no end in sight. The legal fallout continues to take shape for TJX, which is faced with multiple class action lawsuits and investigations by regulators. It seems obvious that companies would have learned - either by the excruciating example of others or their own data security blunders - that breach prevention is a wise up-front investment.

Then late last month came the stunning results of research conducted by The Ponemon Institute on behalf of Scott & Scott, a law and technology services firm. The study, titled "The Business Impact of Data Breaches," found that about 85 percent of 700 C-level executives, managers and IT security officers said their companies had experienced a data breach - yet nearly half of those respondents said that they had no breach response plan.

The study convincingly offers up the case for preparedness with more data. About 75 percent of the respondents whose companies experienced a data breach indicated they lost customers. Sixty percent of the executives and managers said they were likely to face litigation. One-third reported the likelihood of fines, and 32 percent said their organizations suffered a decline in share value.

As privacy professionals, we owe it to our organizations to make sure they are prepared for the inevitable day when data loss is no longer something that happens to other organizations. While some CPOs may understand the importance of breach planning and prevention, they may not know exactly how to go about preparing their company to respond proactively and thoughtfully to quell the breach storm and minimize the damage to their organization and its reputation.

Recognizing the vital importance of this endeavor, the IAPP is aptly prepared to respond to this urgent need in the marketplace. This month, we are offering a Data Breach conference during the inaugural Practical Privacy Series, June 27-28, at the Graduate Center, The City University of New York. SAI Global is the Platinum sponsor of these new events, which also include a day-long conference devoted to Financial Services and a third conference focused on Pharma/Healthcare.

If you have yet to register for the Practical Privacy Series, we urge you to review the agenda at www.privacyassociation.org. See you in New York City!

J. Trevor Hughes, CIPP
Executive Director, IAPP