Roy Snell, CEO of the Society of Corporate Compliance and Ethics, says it may be time to give compliance officers greater oversight of data breach prevention.
The Society of Corporate Compliance and Ethics (SCCE) believes it may be time to give chief compliance officers primary responsibility for dealing with data breaches. A recent study conducted by SCCE and the Health Care Compliance Association found that 65 percent of data breaches were caused by employees losing paper files or portable memory devices and 69 percent of the companies surveyed said they let the compliance and ethics department lead the remediation efforts after the breach.
Roy Snell, chief executive officer of SCCE, says that in many cases the audit, legal, IT or risk departments are put in charge of data security, but it is the compliance department that can have the most far-reaching impact on employee behavior and be most effective at stopping data breaches.
‘The problem is that everybody thinks privacy and security is the job of IT and data security is about preventing hackers from getting into the system, when in fact most data breaches have nothing to do with hackers,’ says Snell. He says the problem really stems from ‘employees leaving paper out in the open, walking away from computers while they are logged in, using laptops that are not encrypted and doing computer work on airplanes while others are watching. This is primarily an education, monitoring and auditing issue – we have to tell people what to do, and see if they are doing it.’
That’s where the compliance department is best suited to help. According to Snell, any software systems to prevent hacking and other types of electronic data breaches should be handled by IT but overseen by compliance to make sure that they’re working. Then, a good data breach prevention program should be implemented – and that should be the responsibility of the compliance officer.
‘The typical IT department doesn’t have the time, expertise or authority to manage all data breach prevention techniques,’ says Snell. ‘We need a comprehensive approach to solving this problem, not just software. Having a compliance program is using a comprehensive approach.’
A comprehensive data breach prevention program uses auditing, monitoring, education, investigations, discipline and enforcement – which Snell says are ‘the tools of the compliance officer.’ All boards should review their current data breach prevention plans and determine who has the real authority to improve the corporate culture in a way that can prevent data breaches in the future. The SCCE survey found that 59 percent of respondents experienced a data breach within the last year, and a surprising 37 percent had multiple breaches, so this continues to be a problem at large and small companies.
‘I think an effective compliance officer can decrease your data breach risk very efficiently,’ says Snell. ‘The key is getting a compliance officer who knows how to use the tools of a compliance program.’
Additional findings from the report said rank and file employees were most often responsible for breaches, while just 11 percent of respondents indicated their last breach was the result of hacktivists. Breaches were most often reported by employees other than IT (47 percent), while customer notification accounted for 15 percent. It is good news that apparently employees are willing to come forward; business should continue to encourage this behavior.
Fifty-nine percent of survey respondents reported the costs attributed to resolving their last breach was less than $50,000. The numbers in the research only reflect hard costs and don’t take into account lost business or brand value due to customer or partner mistrust or negative publicity.