Brad Gow , VP – ACE USA

Businesses can no longer afford to treat data security as just another problem for the IT department: it's now a mission-critical issue for the executive suite. Companies that fail to adequately protect personal information not only run the risk of lawsuits and legal penalties, but also severe - and - potentially fatal - hits to their bottom line.

Top executives and risk managers also need to recognize that the dangers posed by theft of personal data have escalated sharply in terms of financial liability and the potential for irreparable damage to a company's reputation. the loss of confidence in a company's ability to properly manage confidential information can jeopardize the survival of its business. Recently, a well-known credit card processor was dropped by several major credit card brands after a security breach in its system exposed millions of consumer accounts to possible fraud.

As consumers grow increasingly worried about identity theft and internet based fraud, Congress has set stricter standards for protecting personal and corporate data with privacy legislation including the Gramm-Leach-Bliley, Health Insurance Portability and Accountability (HIPAA) and Sarbanes-Oxley acts. In addition, the state of California now requires businesses to notify customers when their personal data has been exposed to potential misuse. The costs of notifying tens of thousands of customers may be significant, but is inconsequential compared to the potential loss of consumer confidence and goodwill.

Along with new legal standards, companies must confront increasingly sophisticated attacks from computer criminals. The threat has escalated from teenage hackers bent on virtual vandalism to organized criminal gangs, many operating out of Eastern Europe and outside the reach of U.S. authorities, seeking to steal sensitive information and hijack corporate systems for their own use.

To protect themselves, businesses need to take a proactive approach to data security and information management that recognizes the significant financial, legal and reputation risks involved. It is critical that senior executives and risk managers take a leadership role in building privacy and information security into their organization's cultures. As a first step, businesses need to formally inventory all of the data housed on corporate systems, classify it accordingly to value and sensitivity, and then take adequate measures to secure it. Recognizing that these information security and privacy exposures can also pose a significant threat to the balance sheet, companies need to protect themselves financially by seeking risk transfer options as part of their overall risk management program.

Modern business runs on digital data. Securing that data is an essential part of corporate risk management today.