At first sight, the publication on 10 December of an article headed Data security – is Europe still lagging behind the US? brings a wry smile here. We are used to US articles speaking in condescending terms about everything from our teeth to our discovery processes, so it was faintly amusing to see such a heading in the week after the US managed to mislay so much diplomatically sensitive material.
The article is written by an insurer with an interest in encouraging awareness of data security risks, but that does not invalidate the message that companies must understand the potential costs. The article focuses on the cost of complying with the data breach notification requirements, particularly those of the US, when private information has been compromised. It does indeed seem anomalous that the privacy-conscious EU should be behind the US (at least from the perspective of an insurer) in facing up to the risk of security breaches. The article refers to “the lack of any uniform regulatory status of notification requirements” in the EU as being a reason why European companies are “lagging” in this respect. One might expect that lack of uniformity leads to an increased risk, so I am not sure that that is the cause of the disparity when it comes to buying cover.
It may be that EU companies have weighed the risk and decided advisedly that their risk profile is not such as to warrant the purchase of cover. It is also possible that, with money tight, budgets are being spent on reducing the risk than in insuring against the consequences of breach. A further possibility, and one which I favour, is that few companies have undertaken the risk assessment which sets the burden of compliance with security regulations against the cost of insuring against failures to comply.
I will admit to being slightly sceptical about apparently precise statistics such as the average cost of reacting to such things as data breach notification requirements – the article gives a figure of $204 per individual customer or employee (no, please do not tell me how you arrived at it). Accurate or not, the out-of-pocket cost must usually be dwarfed by the disruption, the loss of confidence and the broader reputational consequences of having to admit to data loss.
The article is useful in that it reminds companies of yet another reason for considering the efficacy of their information management and data security systems. Alex Dunstan-Lee of KPMG, in a speech at IQPC in Brussels last year, observed that when a company says it has more important things to focus on, it is not necessarily wrong. New risks have risen since then, however, both in terms of the range of potentially culpable activities, the size of the fines which can be levied and the speed with which bad news now travels.
The starting point must be to make a simple list of all the laws and regulations which are related to the security of information and which may affect your company, of which the cost of data breach notifications is one. The month in which WikiLeaks made a fool of the mighty US would be a good time to start.