January 20, 2010
Regulations and compliance: The business justification for data security
By Gil Sever, Safend, Special to ZDNet
Commentary - Over the past four years, more than 250 million customer records
containing sensitive data have been lost or stolen according to Privacy Rights
Clearinghouse. New and stricter federal and state legislation is mandating the
protection of consumer and patient’s personal information. Based on these
requirements, comprehensive security solutions including data protection (encryption
/port and device control) and DLP technologies must be implemented to satisfy the
regulations and protect individuals.
What is more of a concern is both large corporations and small business owners are being held
accountable. How does a company justify the cost? Before we answer this question, let’s take a look at
two recent examples of new compliance regulations, one concerning Personal Information (PI) the
second concerning Protected Health Information (PHI). These examples will provide you with insight into
some of the reasons why it is justified for businesses to implement a data security solution.
Forty-five states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation
requiring notification of security breaches involving personal information. A national trend by several
states has expanded the protection of individuals/consumer personal information to a new level. For
example, Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) has proposed
new and extensive regulations 201 CMR 17.00: M.G.L. c. 93H requiring any entity who “owns or license’s
personal information regarding any resident within Massachusetts” comply with strict guidelines. The rule
specifies the encryption of all transmitted records and files containing personal information that will travel
across public networks, be transmitted wirelessly, or stored on laptops or other portable devices, on or
before March 1, 2010. The regulations also apply to entities outside of Massachusetts, but doing business
inside the Commonwealth.
What happens if a breach occurs? In Massachusetts, the comprehensive identity theft legislation signed
by the Governor on August 3, 2007, specifies when a breach occurs and personal information is lost or
acquired by an unauthorized person or used for an unauthorized purpose, notification must be sent to
those affected, the attorney general and the director of consumer affairs and business regulation.
How is this enforced? The attorney general may bring an action against a business to remedy any
violations. As more states require companies to comply with tight security regulations, companies will be
hit with fines if they don’t implement solutions that specifically prevent the leakage of sensitive data.
As for the second compliance example, as of September 23, 2009, the Health and Human Services
(HHS) issued an interim final rule concerning procedures and notification of breaches of unsecured PHI
under the Health Information Portability and Accountability Act of 1996 (HIPAA). The new rule depicts the
process for notifying victims of a breach and also expands the accountability of a data leak to include
“business associates” of the entity holding the PHI. The rule also clearly specifies what constitutes
“protected PHI” in which case notification to the affected party is not necessary. If the PHI is encrypted
per the guidelines of National Institute of Standards and Technology, then notification is not required. If
however, your PHI is unprotected then the following must occur:
1. Within 60 days of the discovery, affected parties must be notified of the breach in clearly understood
language. Furthermore, prominent media must be contacted when over five hundred people are affected.
2. The notification must explain the specifics of what occurred; what type of PHI was leaked; and the
steps the individual can take to protect themselves.
3. The responsible party must specify the steps they are taking to avoid harm to the individual affected
such as contact procedures and information for those needing help.
With the advent of the Health Information Technology for Economic and Clinical Health Act (HITECH);
part of the American Recovery and Reinvestment Act of 2009 (ARRA), special incentives are accelerating
the adoption of electronic record systems and exchanges between providers. The government is
investing $20 billion in health information technology infrastructure and Medicare and Medicaid incentives
to encourage doctors and hospitals to use HIT to electronically exchange patients’ health information.
However, with more electronic records, comes more PHI needing protection. The Act requires that an
individual be notified if there is an unauthorized disclosure or use of their health information. This can be
a costly process. These new regulations and compliance issues provide businesses with a reason for
implementing data security solutions.
According to Ponemon Institute, data breaches have serious financial consequences on an organization.
Costs can also include direct expenses such as engaging forensic experts, outsourced hotline support,
free credit monitoring subscriptions and discounts for future products and services. According to this
year’s Ponemon Institute Annual Cost of a Data Breach study, the average cost of a data breach has
risen to $202 from last year’s $197 per customer record. In addition, they found that 75% of large
corporations surveyed have suffered data leakage, with an average cost of $5 million per incident. With
these huge sums of money associated with data loss and new regulations being implemented on a
regular basis, the need for data protection has become top of mind for businesses. With the
implementation of a DLP solution, a business is less likely to be non-compliant and more data will be
Back to our original question, how does a company justify the cost of data protection solutions? In
analyzing a regional hospital with 500 beds, 1,000 employees and 200 laptops, the hospital serves a
population of 100,000 and has one laptop stolen every six months on average. If 1,000 patient records
were located on the stolen laptop and the hospital had to notify each patient at a cost of $202 per record,
the hospital would be better off paying $4,000 for the encryption of the laptops and avoid spending
$202,000 on the disclosure.
As the workforce continues to rely and expand its use of mobile devices (i.e. Smartphones and laptops),
opportunity for data leakage of sensitive information increases. Let’s explore a real life example; a
business executive using his laptop from an airport lounge is communicating via Skype to his family and
child’s soccer team coach. He accidently attaches a customer list instead of the soccer team registration.
An effective data protection system will warn and block the transfer. This type of accident is fairly
common. A recent report from the Ponemon Institute suggests that the most common breaches (64%)
occur from company insiders. In the January 2009 study, they found more than 88% of all cases involved
A comprehensive data protection solution can lower these statistics in several ways. First, it can assist
organizations in identifying sources of unsecured PHI and PI. For example, advanced discovery tools are
capable of quickly locating sensitive data no matter where it resides on your system. Several of our
customers have been shocked to learn that their sensitive data resides on endpoints. Second, an
effective data protection and leakage prevention system comes bundled with extensive ready to use
templates containing policies that “out of the box” will provide effective protection and encryption with little
to no user intervention. The more automatic and transparent the system, the better.
Since the majority of leaks occur from an employee’s lack of awareness, educating users is a top priority.
Education may occur in the traditional sense, however, a data protection system that includes
sophisticated dialog prompts provides “on the job training” of compliance and security policies. This
unanticipated side benefit can both prevent a breach as well as train users. If an employee is about to
send sensitive data unknowingly, he might be notified through a prompt such as found below:
When data is appropriately protected, encrypted and secured, federal and state breach notifications can
be avoided. In the long run, organizations can save a significant amount of money and avoid
embarrassment and lack of public/consumer trust by deploying the right data protection and leakage
prevention solution. The goal for all holders of sensitive data should be to pay a few dollars now, to avoid
paying much, much more later. Dollars, customers, credibility and potential lawsuits are all at stake. Look
for a comprehensive solution that is transparent and provides the right balance between productivity and
Gil Sever is the founder and CEO of Safend, a provider of endpoint data protection solutions that protect
against corporate data loss via physical, wireless and removable media ports while ensuring compliance
with regulatory data security and privacy standards. For additional information on Safend visit,