continued from page 4

After the breach at a credit card payment-processing company in 2005 exposed millions of accounts to fraud, Republican Sen. Arlen Specter of Pennsylvania and Democratic Sen. Patrick Leahy of Vermont introduced a bill that would make notification of customers mandatory nationwide.

“Insecure databases have become low-hanging fruit for hackers looking to steal identities and commit fraud during a time when we are seeing a troubling rise in organized rings that target personal data to sell in online, virtual bazaars,” Leahy said in a press release after introducing the Personal Data Privacy and Security Act.(32)

While consumers may welcome the tougher standards, businesses face substantial costs to meet the new mandates. The notification laws have forced businesses, which formerly may have tried to keep networking breaches quiet, to come forward and have made it impossible to avoid reputation-damaging publicity. Businesses also face steep costs to notify tens of thousands or even hundreds of thousands of customers in the event of a breach.

All told, complying with new data security standards will costs U.S. businesses some $80 billion over the next five years, according to a 2005 study by AMR Research.(33) The Boston-based research firm estimated that spending on compliance in 2005 alone would total more than $15 billion. Spending for compliance with Sarbanes-Oxley was estimated at nearly 40 percent of the total, or more than $6 billion, while spending on HIPAA was estimated at $3.7 billion, or just under one-quarter of total spending. While technology forms a significant part of those costs, investment in internal staff was the largest cost.

A Threat to the Balance Sheet
The cost to business of survival in the digital economy cannot be measured simply by the billions of dollars required to comply with new regulations. As the criminal threat has escalated, so too have the dangers. The failure to adequately protect confidential data can lead to a loss of business, leave a company open to lawsuits, and severely threaten its balance sheet.

In the past, businesses could seek to protect their assets with physical barriers and security guards. In the digital age, the critical battle has moved online. As businesses seek to take advantage of the Internet, they have to allow outsiders to access portions of their carefully protected computer systems, making themselves vulnerable in the process. As a company’s dependence on the Internet grows, so does its potential loss exposure.

Naturally, criminals target the companies that depend on the kind of personal information that is most valuable for Internet scam artists. Because they routinely deal with credit card information, online retailers, financial-data processing companies, and the medical industry are among the most attractive targets. For example, online fraud was expected to cause losses of about $2.8 billion in electronic commerce in 2005, up $200 million, or 8 percent, from 2004, according to a study by CyberSource Corporation.(34)

Besides fraud, businesses face other losses from cyber crime and security breaches, such as lost productivity, system downtime, and the costs of repair and recovery.

Cyber Exposures and Liabilities
Companies that depend on the Internet for their livelihood can be devastated by attacks that shut down their Web sites. Businesses also face shutdowns when crucial infrastructure is attacked or operations at a vendor’s site go down. For example, the Slammer virus in 2003 temporarily brought down most of a national bank’s automatic teller systems, as well as a major airline’s online reservation system.(35) The Sobig virus the same year disrupted U.S. freight and passenger rail traffic.(36)

Besides Web site and network shutdowns, businesses have to factor in the cost of lost trade secrets and lost proprietary information. If crucial product plans are corrupted or stolen, a business could be set back for months as it tries to restore the data or it could be forced to recreate months of work to get back to where it was, at the same time facing the possibility of losing a critical market opportunity.

In addition to those risks, however, businesses face some worrying exposures that may not be as apparent, such as the loss of future business as customers or clients lose confidence in the company’s ability to protect private information.

For instance, when a security breach at a credit card payment-processor exposed about 40 million accounts to potential fraud, major credit card brands quickly said they would stop using the company, dealing it a potentially fatal loss of business.(37) As a company’s reputation suffers among its clients and consumers, its investors also may become wary, potentially hurting its market value and its ability to attract new investors.

continued on next page>>
1|2|3|4|5|6|7|8