You may remember, earlier this year radio shock-jock Don Imus lost his job after making some insulting and offensive remarks on-air about a women's college sports team. You might say Imus had a data breach of the mouth.
In his article "What Don Imus Can Teach IT," Larry Ponemon (founder and CEO of the Ponemon Institute LLC) lists 10 things companies can learn from the Imus "implosion" about the prevention and containment of data breaches:
"1. It takes only one breach to make people unhappy and get you fired -- or, in the case of a company, lose lots of good customers. Some 20 percent of data-breach victims cut ties with institutions that compromised their privacy, according to one study we recently conducted."
"2. Never underestimate the cost of a breach. Not only did Imus lose his job, but the lost sponsors and reparations to the victims could cost millions. According to Ponemon Institute's 2007 Cost of a Data Breach study, breaches can cost companies millions of dollars... On average, the cost of a data breach is $182 per compromised record, a 31 percent increase over 2005."
"3. Reputations suffer and trustworthiness declines following a breach. In the days following his remarks, Imus struggled to regain his reputation and popularity to no avail. The same holds true for many organizations that suffer a breach. We conduct an annual study to determine which companies in a variety of industries are most trusted by consumers. In our 2007 Most Trusted Companies study we decided to track the impact a data breach can have on a company's perceived trustworthiness. There were 12 companies in our study that had data breaches that required them by law to notify consumers and employees that sensitive information was lost or stolen in the period following the 2006 study. In 2006, these 12 companies had aggregate trust scores that were 1 percent above the average score. Following the breach, their 2007 scores were 23 percent below the aggregate most trusted list average."
Amen to that!
My trust in IBM increased slightly when IBM notified me about their data breach, since I live in a state where data breach notification is not required.
My trust in IBM started its waver when IBM' notified me in May 2007 -- over 2 months after their February 2007 data breach. My trust in IBM started it's decline when I couldn't get any answers about the progress of its investigation into the data tape "loss." My trust in IBM declined when I learned about IBM's internal policy to archive forever the personal data of former employees, without providing a satisfactory explanation for archiving my personal data. My trust in IBM continued its decline when I learned about IBM's watered-down credit monitoring service offer.
The remaining 7 items in the "What Don Imus Can Teach IT" article are a worthy read. In my opinion, this article should be required reading not only for IT (Information Technology) professionals, but also required for CIOs (Chief Information Officers), senior Human Resources executives, and a company's marketing executives.