A couple of weeks ago, 37signals, makers of the popular project management app Basecamp, wrote a blog post about the 100 millionth file upload. In the post, the author made an ostensibly innocent comment about the filename: cat.jpg.
Funny, right? 37signals co-founder David Heinemeier Hansson was not laughing.
So, what’s the big deal? As David explains in his apologetic follow-up post, if a 37signals employee can not only view, but comment publicly about cat.jpg, what prevents them from doing the same with truly sensitive data, like Downsizing-Plans-2012.pdf?
Even though this incident was extremely minor on the spectrum of data security issues (just ask Sony), it’s clear from David’s apology that 37signals feels a responsibility to safeguard customer data and uphold a high standard of trust and openness. 37signals should be commended for acknowledging and addressing this responsibility.
In an ideal world, every company would honor their obligation to protect their customers’ private information. Protecting customer data is certainly the right thing to do from a moral perspective; it is also the right thing to do—in fact, the urgent, critical thing to do—from a business perspective. Who will put their money in a bank that doesn’t lock its vault when there is a responsible bank down the street?
Unfortunately, despite the moral and financial incentives, many companies neglect to take the most basic measures to secure personal data, and some don’t disclose when their systems have been compromised. As the number of individuals negatively impacted each year by breaches continues to skyrocket, legislators and regulatory agencies are putting pressure on organizations to get control of their data or risk substantial fines and lawsuits.
When there is a trend that threatens the welfare of consumers, public companies and its shareholders, regulations always follow. Not surprisingly, 46 US states have enacted laws that mandate security breach notification and adherence to strict standards (such as PCI-DSS) which prescribe rules about passwords, data encryption, access controls, event monitoring, security policies, and more. The EU has even broader legislation pending. In an attempt to mitigate risk to investors, the SEC has released a “Disclosure Guidance” document advising firms to disclose in their regulatory filings attacks and breaches that have occurred as well as potential security risks they face going forward.
With the average cost of a data breach reaching $7.2 million in 2010, it has become exceedingly risky for businesses not to make protecting customer data a top priority. In a follow up post we’ll talk about where the bulk of customer data and other critical information typically resides.