A recent ComputerWeek article by Jeremy Smith, called “Data Privacy Must Become a Corporate Priority” makes a good point in suggesting that “privacy” should be a corporate priority, part of its risk management processes:
“The ever-changing business environment has a direct effect on a company's risk profile, often changing in unison as new business models develop. The expansion of global supply chains and the heightened dependence on outsourcing means that security risks are becoming harder to quantify and prevent. The new risks associated with relying on networks and using digital data must be addressed by risk managers in the same manner they would consider the more traditional risks.”
I really agree on this point. This article uses the recent UK HMRC incident as an example and further suggests that:
“If a private corporation had been the culprit instead of HMRC, the financial loss to that firm would have been substantial, possibly running into hundreds of millions of pounds to cover costs such as consumer notification, call-centre capacity (to deal with customers whose records had been compromised), ongoing third-party credit monitoring, claims for identity fraud, litigation expenses and damages and regulatory defence and settlement.
Most organisations probably do not have sufficient, if any, insurance for such an event, as normal property and liability policies only provide cover for tangible assets and specifically exclude the new risks associated with data and IT networks. Specialist data privacy and network security policies have been developed, particularly in the London insurance market, to address these exposures including providing coverage for notification expenses and regulatory fines and penalties.”
Insurance can indeed be a way to mitigate some of the “implications” for the company, but it is not the final answer for end-users and the consequences that privacy incidents might have on them.
I believe that the corporate “risk mitigation” process should also include “proactive” control points (involving technologies, data handling processes and education) aiming at minimising the occurrence of these incidents.
--- NOTE: my original HP blog can be found here ---
No comments:
Post a Comment