There has been an epidemic of data breaches in recent months, prompting action in the United States Congress to introduce new legislation to protect consumer data. A recent survey, however, found that most businesses are more concerned with their own brand integrity and reputation than whatever punitive damages might result from compliance mandates.
The Secure and Fortify Electronic Data Act--better known as the SAFE Data Act, is currently making its way through the United States House of Representatives. If passed, the legislation will create a national framework for information security and data protection, along with national laws governing disclosure when a breach occurs.
Testifying before a House subcommittee in June, BSA President and CEO Robert Holleyman, said "It requires organizations that hold sensitive personal information to implement reasonable security procedures. It creates market incentives to adopt strong security measures. It ensures that consumers will be notified when a breach puts them at risk of identity theft, fraud or other unlawful activity," adding, "By creating a uniform, national framework that preserves an enforcement role for state authorities, it also streamlines compliance burdens. The net effect will be good for businesses and consumers alike."
On the other hand, a recent survey conducted by jointly by CyberSource and Trustwave reveals that businesses are not intimidated by legislation, or concerned about financial penalties associated with compliance mandates and regulations. What businesses are concerned with is their own reputation and the integrity of their brand.
A press release for the survey states explains that seven in ten respondents cite the need to "protect the brand" as the primary drive for tighter information security and data protection measures. "Only 26 percent said avoiding fines resulting from non-compliance with the Payment Card Industry Data Security Standard (PCI DSS) were the key motivator."
"A breach has serious consequences for nearly every division of an eCommerce merchant's organization," said Dayna Ford, Senior Director of Product Management at CyberSource. "But by far the most damaging impact is to the company's brand, affecting revenue, customer loyalty, and even stock valuation."
The good news is that consumers, and the market in general apparently have some influence still. The CyberSource / TrustWave survey seems to indicate that the negative fallout from violating customer loyalty, tarnishing the reputation of the company, and degrading the value of the company's stock are the main considerations driving businesses to implement better data protection.
The bad news is that companies apparently don't care about their brand reputation, customer loyalty, or stock price enough to proactively invest in better information security technologies, or be more diligent about protecting the data they are entrusted with.
If recent events have shown anything, it's that most companies still view data breaches as something that happens to other unfortunate companies. Although their own brand integrity may be their primary concern, they don't perceive the threat to be significant enough to actually take action.
That is where legislation like the SAFE Data Act, or industry mandates like PCI-DSS come in. It may be a lesser concern, but hopefully the additional impact of regulatory consequences and financial penalties--along with required compliance audits will drive more businesses to do the things they should be doing on their own if they are really concerned about protecting their brand--never mind protecting the customer data they have been entrusted with.