It’s no wonder then, that businesses are talking more about data breach insurance. This coverage is designed to provide businesses with compensation for legal costs and other expenses incurred in the aftermath of a data breach, such as identifying the source of the leak and notifying those whose information may have been compromised.

But at the same time, insurance should not be considered a replacement for adequate preparation and security. You should already have other security measures in place. In fact, many businesses are subject to regulations that mandate security—for instance, some regulations require encryption of sensitive information, greatly reducing the losses when incidents do occur.

If your security measures are less than robust, however, consider for a moment what damage would be done if your customers’ personal information was exposed through a data breach. The insurance would help with some of the costs, such as contacting your customers to make them aware of the problem. But there’s more at stake than court fees and downtime of your network. The loss of trust is one thing that can’t adequately be measured or accounted for by an insurance policy. Once your customers feel betrayed, they will immediately look to your competitors, and they’ll tell their friends to do the same. This abnormal customer churn is the number one cost associated with a data breach, according to the U.S. Cost of a Data Breach study.

While the CFO may ask ‘wouldn’t insurance be cheaper,’ the organization needs to look at the cost of a data breach in terms of customer churn – in this case, mitigating the risk of a data breach is the better choice. Your best bet, then, is to ensure that you do everything you can to prevent such a breach from ever happening in the first place.

In order to protect your organization from data breaches that are becoming all too common these days, consider the following preventive measures.

• Assess risks by identifying and classifying confidential information
• Educate employees on information protection policies and procedures, then hold them accountable
• Implement an integrated security solution that includes reputation-based security, proactive threat protection, firewall and intrusion prevention in order to keep malware off endpoints
• Deploy data loss prevention technologies which enable policy compliance and enforcement
• Proactively encrypt laptops to minimize consequences of a lost device
• Implement two factor authentication
• Integrate information protection practices into businesses processes

These common sense measures will help reduce your chances of losing sensitive corporate information. With the right preparation, you may never have to find out just how effective data breach insurance actually is.

By the numbers, it would seem that the healthcare industry is in crisis when it comes to protecting patient data, and it’s costing them. According to the Ponemon Institute 2011 U.S. Cost of a Data Breach study, sponsored by Symantec, health data breaches cost $301 per lost record, which is 40 percent higher than average. Contributing to the higher cost is compliance with data protection regulations that requires health organizations to do more to find, disclose and fix breach-related problems. In addition to disclosure laws in 49 states, healthcare organizations also must comply with HIPAA and HITECH.

Understandably, healthcare organizations like financial institutions face stricter regulation and disclosure requirements, which may contribute to perception that there are more breaches in these industries. What’s more likely is there are simply more ‘reported’ breaches and more headlines. But that’s not to say that the problem is overstated.

Curious Insiders and Health Data Breaches

Another report announced last week indicates that 71 percent of healthcare providers reported at least one medical records security breach in the prior year. What’s even more interesting, the majority of breaches were insiders snooping into the records of coworkers, friends and family. The same report found that loss or theft of equipment containing PHI caused 20 percent of breaches.

On the other hand, nearly half of the major data breach incidents, those affecting more than 500 records, reported to HHS resulted from theft, including stolen electronic equipment such as network components, laptops or hard drives.

Rx to Reduce Risk of Breach

For all the good that healthcare IT systems and electronic medical records bring to patients and providers, they also bring significant risk if not managed appropriately. Mishandling of patient data can lead to identity theft, regulatory issues, fines and more. Healthcare organizations need to make sure that the right people have access to the right data for the right use.

By creating a culture of security through training, policies and actions, organizations can help to reduce their risk of data privacy violations. At the same time, it’s important that organizations avoid demonizing the individual and assuming his or her actions were malicious. Instead, the organization should help to educate the insider on proper security procedures and policies.

A complete prescription to avoid data loss will also include technology solutions. Symantec recommends healthcare organizations consider the following to further reduce their risk of data breach:

1. Assess risks by identifying and classifying confidential information
2. Educate employees on information protection policies and procedures, then hold them accountable
3. Implement an integrated security solution that includes reputation-based security, proactive threat protection, firewall and intrusion prevention in order to keep malware off endpoints
4. Deploy data loss prevention technologies which enable policy compliance and enforcement
5. Proactively encrypt laptops to minimize consequences of a lost device
6. Implement two factor authentication
7. Integrate information protection practices into businesses processes

What has been your biggest challenge in protecting patient health data?

John Gobron is the national healthcare director at Symantec and has more than 15 years of experience in the healthcare industry.

But enough with the numbers, the interesting stuff is what’s behind the rising global cost of a data breach. It’s certainly true that companies face intense pressure to improve data security. In 2010, there was no shortage of high-profile data breach incidents making headlines in the global media. High-profile data breaches really aren’t anything new—though their probably getting more attention than in years past. What has continued to evolve is regulation.

Governments have taken steps to strengthen data privacy oversight. It truly appears to be a national priority in all countries studied. Here’s a quick look at what changed in 2010:

• Germany, the United Kingdom and Australia gave additional powers to their national data privacy offices
• All governments surveyed except the United Kingdom introduced legislation to improve their powers to protect sensitive data.
• The U.S. Congress introduced numerous bills that made further progress toward a national data breach notification law.
• German lawmakers introduced draft legislation designed to improve data protection for employees.
• Australia and France, two countries without data breach notification laws, introduced landmark draft legislation that would eventually create these laws.

While last year’s report tipped us off to the impact that regulation has on escalation of data breach costs, this year’s report has confirmed this trend in a number of findings. I’d like to delve into two of these findings, but you can read more about all of them in the report (PDF).

The first is that breach costs correspond with national data protection priorities, especially regulatory compliance.

In the United States and Germany breach costs are highest; these are also the countries with the most regulations surrounding data protection and data breach notification. Also, this year, regulatory compliance surpassed data breach mitigation as the main driver of spending on encryption technologies in the Unites States, and by extension other data protection technologies.

In addition, companies in Australia, France and the United States are willing to pay more for activities such as quick response and external consulting support. This may indicate that organizations are spending more to shore up their compliance with data protection regulations.

Given that France and Australia have laws in the works to bolster data protection regulation and the United Kingdom is starting to enforce more data breach fines as a deterrent, it will be interesting to see how the cost of data breach will be impacted moving forward.

An equally interesting conclusion from the report is that lost business and/or ex-post response are increasingly becoming the main components of data breach costs in all countries surveyed.

All countries except the United States saw increases in lost business. And, all countries except Australia reported higher spending on ex-post response, which includes what the organization does to fix the problem and meet regulations as part of its response. At the same time, notification costs stayed flat in most countries.

This finding speaks to the changing regulatory environment’s impact on data breach costs. Lost business tells us that consumers really care about how well organizations protect their information. And with more regulations requiring notification and more companies rapidly responding to breaches, then it stands to reason that organizations would lose more business and subsequently their data breach costs go up.

By and large, compliance with data protection regulations requires organizations to do more to find, disclose and fix breach-related problems. These tasks correspond with the detection and escalation, notification and ex-post response cost activities, respectively. Strong growth in ex-post response may reflect increased compliance activities, as this stage often requires more investment than the notification process.

While companies worldwide are doing more to not only comply with regulations, but also to ensure protection of sensitive personal data from breaches, they still face ever-increasing challenges to data protection. Technologies such as cloud computing and virtualization and the proliferation of consumer devices within their networks pose definite risks to sensitive information. However, implementing information protection best practices and technologies can reduce the risk of data breach incident. Symantec recommends the following best practices to avoid data loss:

• Assess risks by identifying and classifying confidential information
• Educate employees on information protection policies and procedures (such as streamlined social media profiles), then hold them accountable
• Implement an integrated security solution that includes reputation-based security, proactive threat protection, firewall and intrusion prevention in order to keep malware off endpoints
• Deploy data loss prevention technologies which enable policy compliance and enforcement
• Proactively encrypt laptops to minimize consequences of a lost device
• Implement two factor authentication (Ex. VPN plus strong user name and password)
• Integrate information protection practices into businesses processes

Why?  Because if a system, application or host doesn’t actually store or process card data—remember, they’re using a token instead—then it may not be in scope for the PCI environment.  This may significantly reduce what “things” are parts of the PCI environment.  Another advantage of PCI tokenization is if an attacker compromises the system and obtains this token,  it isn’t card data, thereby, reducing the impact of a data breach.

Organizations can also outsource the “vault” to a third party which may transfer the liability and responsibility to them as it will no longer be a part of the customer’s CDE.  Of course, they will still need to ensure they do their due diligence and take due care even if they use a third party for this.  Moving to a third party model for the “vault” raises another point.  It may be a single point of failure and/or a more attractive target for attackers to go after.  Can you imagine the incentive this would raise for malicious attackers?  It would be the “Golden Chalice” and the “keys to the kingdom.”

My perspective is that PCI DSS compliance is a spectrum.  On one side you have 200+ specific requirements;  on the other end, you have much fewer requirements because you’ve been able to reduce the CDE. Ultimately, this will reduce the technology, administrative and operational burden.  Yes, there are pros and cons, but it’s an interesting idea.

What do y’all think about this?  I’d like hear about it. Please, let me know.

But, that hasn’t happened yet. The latest U.S. Cost of a Data Breach report (PDF), which was just released today, shows that costs continue to rise. This year, they reached $214 per compromised record and averaged $7.2 million per data breach event. The fact is that individuals still care deeply about their personal information and they lose trust in companies that fail to protect it.

It’s not only direct costs of a data breach, such as notification and legal defense costs that impact the bottom line for companies, but also indirect costs like lost customer business due to abnormal churn. This year’s study showed some very interesting results. In my view, there are a few standout trends.

Rapid response to data breach costs more. For the second year, we’ve seen companies that quickly respond to data breaches pay more than companies that take longer. This year, they paid 54 percent more.

Fueling this rush to notify is compliance with regulations like HIPAA and the HITECH Act and the numerous state data breach notification laws. It seems that U.S. companies have this urgency to just get the notification process over with. Unfortunately, these companies are in such a hurry to do the right thing and notify victims that they end up over-notifying. This causes customers who are not actually at risk to lose trust in the company and abnormal customer churn increases. Companies that take a more surgical approach and spend the time on forensics to detect which customers are actually at risk and require notification, ultimately spend less on data breaches.

Malicious or criminal attacks are causing more breaches. This year malicious attacks were the root cause of 31 percent of the data breaches studied. This is up from 24 percent in 2009 and 12 percent in 2008. The significant jump in malicious attacks over the past two years is certainly indicative of the worsening threat environment. Malicious attacks come from both outside and inside the organization, ranging from data-stealing malware to social engineering.

What’s more, these data breaches are the most expensive. Malicious attacks create more costs because they are harder to detect, the investigation is more involved and they are more difficult to contain and remediate. Another reason malicious attacks are so expensive is the criminal is out to monetize their work; they’re trying to profit off the breach.

However, it’s not always the bad guys doing bad things that cause data breaches. It’s often your best employees making silly mistakes. Negligence is still the leading cause of data breaches at 41 percent.

There is good news. Companies are more proactively protecting themselves from malicious threats. Three response characteristics increased in frequency: the number of organizations responding quickly (within 30 days), those putting CISOs in charge of data breach response, and those with an above-average IT security posture. Moreover, breaches due to systems failures, lost or stolen devices and third-party mistakes all fell. And, average detection and escalation costs went up by 72 percent, suggesting that companies are investing more resources in prevention and detection. Taken together, these figures may indicate organizations are taking more active steps to thwart hostile attacks.

So, what’s a company to do with all of this data breach cost information? Calculate your potential cost of a data breach. This year, in conjunction with the report, Symantec and the Ponemon Institute have launched the Data Breach Risk Calculator. This free online tool let’s companies connect the dots between all of this research and what it really means to them. The Data Breach Risk Calculator lets you estimate how a data breach could impact your company. You can check it out at www.databreachcalculator.com.

As always, I’d love to hear from you. What do you think about our findings? Do they correlate with what you’re seeing?

Dr. Larry Ponemon is chairman and founder of the Ponemon Institute. The Ponemon Institute is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries.

But, future fines are largely avoidable, if organisations adhere to security best practice. For a data breach to attract financial penalty, the ICO must be satisfied that a serious breach is likely to cause “damage or distress” and that it was either “deliberate” or “negligent” and that the organisation “failed to take reasonable steps to prevent it.”

Information has become the lifeblood of organisations and it must be managed properly. To avoid further data breach fines, organisations need clear guidelines in place to determine how sensitive information is used.

Symantec offers a four-step guide to avoiding further data breach fines.

1. Develop and enforce a robust security policy that includes:

• Tight governance regarding use of customer data – it should not physically leave the premises unless absolutely necessary
• Use strong encryption appropriately for data that does have to leave the premises
• Restrict access to customer data only to those staff for whom it is essential
• Ensure that confidential data cannot be copied on to portable media such as USB sticks or CDs
• Monitor information leaving via email and websites for appropriateness
• Implement user education and awareness programmes within organisations, to reinforce the importance of protecting sensitive information

2. Protect and manage all PCs, laptops and servers. Maintain active, up-to-date antivirus, spyware and firewall protection.

3. Create strong passwords for all systems and hardware. Use at least eight characters with a combination of numbers, letters and punctuation marks and don’t use the same password which is active on other accounts.

4. Don’t forget non-electronic security.

• Shred any documents that contain identifying information before disposing of them
• Don’t leave financial documents and sensitive information in an unsecure environment and limit access to facilities
• Regular education of employees can help improve awareness of appropriate behaviour

It’s clear that data breaches are not going away. And it’s more important than ever that organisations follow best practice to secure their sensitive information. As the ICO’s actions prove, organisations that get it wrong will pay dearly.

Jamie Cowper is a data protection specialist at Symantec.

In past years, data breach mitigation has consistently been the top driver of encryption adoption—organizations were buying encryption in response to a breach issue. But, for the first time regulatory compliance has surpassed data breach mitigation as the top reason why organizations deploy encryption technologies.

And, there’s no shortage of industry data protection and privacy regulations to comply with. There’s a veritable alphabet soup of regulations—HIPAA, PCI, HITECH—plus more data protection legislation at the state level. The impact of all these regulations is reflected in our research.

Organizations are getting ahead of the curve with their encryption strategy before the breach occurs, not after. They want to prevent exposure and make sure data is safe; and they’re allocating the funds to do so.

Our research also found that solutions involving encryption have seen the biggest increase in IT budget earmarks over the past year. Five years ago when we started doing this annual study, encryption was in a “good idea” category, if organizations had some extra funds they’d buy it. Now it’s earmarked in the budget.

It’s becoming clear that encryption is increasingly important to risk management efforts. Organizations understand there is potential for a breach and they are putting preventive measures in place before, not after the event. That’s what is driving them to fund and implement encryption technologies. Only time will tell, but we think this trend will continue.

Download the full report to learn more about these and other encryption adoption drivers. And, please share your thoughts and feedback on the results. I welcome your comments.

Dr. Larry Ponemon is chairman and founder of the Ponemon Institute. The Ponemon Institute is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries.

As I’ve posted previously the changes to the DSS are evolutionary and should not present any major  issues to organizations already in compliance. I would further add that I do not see the changes significantly shifting the landscape with respect to the challenges that organizations already face in complying. Before I dig into that let’s take a look at what some of those are based on trends collected from the numerous PCI assessments Symantec’s Advisory Services QSA team has performed:

• Lack of formalized policies, standards, and procedures: these may be “social” but not written, and may not be reflected in the actual implementations (applies to multiple Requirements).
• “Roll Your Own” practices: re-inventing the wheel may lead to a poorly designed wheel, and you may miss lessons learned that have been captured in industry best practices (applies to multiple Requirements).
• Cardholder data environment is not segmented from operations: systems, people, and infrastructure are co-mingled, leading to increased and unmanageable scope for PCI compliance (PCI DSS scope).
• Lack of adequate logging and analysis capabilities: impairing the ability to detect and respond to incidents, and to perform effective forensics efforts (Requirement 10).
• Insufficient testing and follow-up: new vulnerabilities are not detected and addressed in a timely manner, possibly with little or no validation that installed controls are effective (Requirements 6 and 11).
• Emphasis on business operations at the expense of security: looking to minimize time to market, costs, etc., with poor security likely eventually having a negative impact on the business.

On October 4, 2010 Verizon released its “Verizon Payment Card Industry Compliance Report” (http://www.verizonbusiness.com/go/pcireport). Many of the findings overlap with what Symantec has seen and seem to indicate industry-wide trends.

Based on this, how will compliance with 2.0 be affected? From a requirements perspective, I feel the answer is not much. The clarifications being made should help organizations understand their responsibilities better, but should not increase or decrease them. Some changes may open new avenues to compliance that might make it easier to comply given an organization’s existing capabilities.

That said, responsibilities for understanding and documenting scope and cardholder data flow and storage will be shifting toward the organization with 2.0. I’ve seen organizations of all sizes struggle with this in the past, and would not be surprised to see this join the other challenges we’ve seen.

My suggestion would be that organizations continue addressing these challenges as they have been, and begin considering if the revised standard offers any new avenues for compliance in conjunction with their QSA, Acquirer, or Card Brand, as appropriate. I would also suggest developing a methodology for scoping and cardholder data flow to give yourself time to mature it and avoid facing another potential challenge.

As always, your feedback and questions are welcomed!

Symantec’s Lead Technical QSA, Michael Garvin has worked in information security, compliance, system administration, and enterprise architecture for nearly 20 years. His experience includes higher education, service providers, and corporations including Sun Microsystems. He has been delivering PCI assessments with Symantec for four years and participates in PCI SSC activities. Michael is a CISSP, PCI QSA, CHP (Certified HIPAA Professional), CHSS (Certified HIPAA Security Specialist), and is an early adopter of the Certificate of Cloud Security Knowledge (CCSK).

Having returned to the office the question we’re now hearing is this: what does PCI DSS 2.0 mean to me? How will it impact my compliance efforts, and what will the cost be? And how long do I have to comply?

The latter question is the simplest to answer. Assessments against version 2.0 can begin on January 1, 2011, but organizations will not be required to assess on 2.0 until December 31, 2011 (the sunset date for version 1.2). The former questions are a little bit more difficult to answer, paying homage to the oft-repeated PCI mantra “it depends.”

Overall the changes to the DSS are evolutionary and should not present issues to organizations already in compliance. Much of the work has been around clarifying the standard and associated guidance, with the intent of making it easier for all to understand and of making assessments more consistent across QSAs (a complaint heard a few times during the open mic sessions). Some of the changes address emerging technologies such as virtualization, while others attempt to mature the standard to address the changing threat landscape. And some of the changes will open opportunities for controls that organizations have not previously had.

In addition to the revised DSS and PA-DSS standards, a variety of additional guidance and supplements will be released. An updated navigation guide will address the intent of the requirements, while the Self Assessment Questionnaires (SAQ) and Attestation of Compliance (AOC) will be aligned and simplified. The various Special Interest Groups (SIGs) will also be releasing documents on subjects such as virtualization and cloud computing, tokenization, point-to-point encryption (the preferred term for end-to-end encryption), scoping, wireless including Bluetooth, and how EMV cards interact with the DSS.

Over the coming weeks and months, we’ll be trying to address the changes, opportunities, and pitfalls the revised DSS represents, as well as discuss the varying additional guidance and documentation that will be released. As always, your feedback and questions are welcomed!