“Learning a lesson from Hurricane Katrina: "One of the most important lessons, is that by reducing vulnerability to high-impact/low-probability disruptions, a company will reduce its vulnerability…”
– Professor Yossi Sheffi, Massachusetts Institute of Technology
On May 22, 2007 President Bush issued a White House directive ordering federal agencies to develop and implement a breach notification policy within 120 days. With September 22nd right around the corner, federal agencies are frantically trying to comply with the White House directive and are finding out that it’s not as easy as what it may sound. It seems that drafting a security and breach notification policy is not the main problem. The Federal Government is of course, very adept at drafting wordy documents that satisfy Congressional mandates, but the main challenge for federal agencies is actually executing.
The fact that the U.S. Federal Government has a problem implementing and executing should come as no surprise to anyone who has been on this planet for more than a week. However, this is also the main challenge for most private companies as well. When it comes to private companies implementing and executing a program, in this case a privacy policy and breach notification plan, the challenge is almost universal: M-O-N-E-Y. Scott & Scott’s clients commonly discuss the balance between drafting data security and privacy policies as well as a breach notification plan and the practical challenge of putting words into action.
Just like most company emergencies, the matter does not receive the necessary budgetary allocation until it has become… a emergency. You probably know of several empirical examples within your company of such post-catastrophe funding, big and small. In other words, it’s common for a company to use the ostrich approach and ignore a problem hoping that it will just go away. However, when there is a data breach, then and only then will the decision makers throw money at the problem. Unfortunately, the money is in essence thrown into a fan and it gets blown everywhere. The limited resources are spread across all departments that hold out their hand, but the money does not necessarily get spent on the areas that will get a maximum return on investment. The attorneys and technical advisors at Scott & Scott are sensitive to this budgetary balance and advise their clients on the best way to get the most bang for their buck and receive effective legal and technical protection.
Turning the focus back on Capitol Hill, the White House’s directive applies to all Federal information and information systems. In other words, the directive applies to every Federal Agency with a computer. Senator Arlen Spector (R-PA) and Senator Patrick Leahy (D-VT) along with the help of Senator Dianne Feinstein (D-CA) are still trying to push their co-authored Personal Data Privacy and Security Act through Congress. This bill goes beyond the White House’s directive and puts into law rules and regulations Federal Agencies must follow regarding data privacy and security. Consumer groups and privacy advocates criticize the bill’s numerous exceptions instituted by Republicans, but both parties agree that a bill of this nature is long overdue. Industry titans such as Microsoft, Sun, and Hewlett-Packard recognize the inevitable legislation and have become a part of the regulatory process as well, vis-à-vis their lobbyists of course.
Now, how can you get your company’s attention to dedicate the necessary resources to implement and execute its data privacy and security policies and breach notification plan into action? As with most potential emergencies, planning is the key to averting such incidents and planning will also save your company considerable money. Just like your car’s engine, it’s cheaper to prevent the problem than to repair it. Scott & Scott has a proven track record of developing a cost-effective data security and privacy plan uniquely suited for its client’s individual circumstance and budget. The most common mistake companies make is promise more than is legally required. Let us show you how we can save your company time and money as well as give you peace of mind.