The week before Labor Day is always a slow news cycle but things must have really been crawling at a snail’s pace for InformationWeek to run this story…

The gist of the story is eighty-seven percent of consumers said they lost respect for businesses after those companies lost customers’ personal information, according to InfoSurv’s survey of 400 consumers. Tablus, a company that provides systems for protecting software, backed the survey and announced the results Tuesday. According to Tablus, respondents’ comments indicated that a loss of personal information equals a loss of business because consumers believe businesses should place a high priority on maintaining trust and the confidentiality of their information. In fact, 96% of respondents said that protecting customers from data breaches should be a company’s highest priority. Ninety-five percent of respondents said there is no excuse for exposing customers’ confidential information, and 93% said that businesses are obligated to protect sensitive content. Ninety-four percent of respondents said if there’s a technology to prevent the loss of confidential and personal information, all businesses should use it.

Why isn’t this news? First, because it’s old news. A simple Google search would have shown this. Also companies such as Forrester Research, Gartner and Protegrity (full disclosure, Protegrity is a BlinnPR client) have been talking about this subject for months now. In fact, Forrester and Protegrity have actually calculated in real dollar amounts what a data breach could cost a company. And lastly, anybody who closely follows security and data breaches knows that at RSA 2006 and 2007 this topic was presented as part of a panel discussion. How do I know? Yes, I was at RSA but I was also a panelist both years.

This isn’t about bashing InformationWeek or being the ultimate arbiter of what they should or should not report on. I’ll leave that up to people who are legends in their own mind.

No, my point is this. We already know data breaches are harmful to a company’s brand. What we really should be concerned with is making data breaches part of a company’s crisis communications plan. I can tell you from first hand knowledge that data breaches are not and they should be.

Bookmark to:
         

While playing 18 holes of golf at Van Cortlandt Park in the Bronx over the weekend, I read online that it took Monster.com about five days to disclose a data breach where the personal information of a whole mess of grumpy job seekers, hoping that posting their resumes on Monster would result in a life of happiness and prosperity, got stolen.

I can’t answer the question about whether five days was too little or too much, but I can give you an idea about what you need to know before you disclose to customers, the media and in most cases your bank and credit card companies. You need to know what happened, what and how much was stolen, who was affected, and what you are going to do to make sure it doesn’t happen again. Maybe not with 100% certainty what happened or who the perpetrator(s) were, but enough to know generally what broke, so that you can assure customers you will fix it.

This ultimately comes down to a trust game, and I’d advise anyone to have more information (even if it takes a few days extra), then less. Saying “we’re screwed, we just don’t know how big the pole is” doesn’t engender confidence in your customer base. If you can’t get that information after a certain amount of time, then you need to disclose anyway - but understand you’re going to be pummeled ala TJX.

That’s why I harp time and time again about crisis communications. It’s going to happen to you, it’s just not clear when.

Bookmark to:
         

Credit for this entry goes to Henry Blodget at the Silicon Alley Insider…

Five days after Ukrainian hackers busted into a “rogue server” and stole contact info for 1.3 million Monster users, Monster told the users. But it did so in one of the most inscrutable press releases ever written.

Bookmark to:
         

RSA Conference, which I’m speaking at next year, is looking for the most innovative emerging company in the information security industry for its Innovation Station program, held in conjunction with RSA Conference 2007, Feb. 5-9, 2007, at San Francisco’s Moscone Center.

The submission process is now open for pre-IPO companies in the information security technology space interested in participating. Companies must be privately held and in business for fewer than two years, with confirmed 2006 booked revenues under $5 million and a new product or service introduced between March 2006 and February 2007.

Once selected, these companies are provided with a unique opportunity to showcase new products or services to a judging panel comprised of leading venture capital investors, CSOs, press and industry experts, as well as exhibiting in a special Innovation Station pavilion on the expo floor.

The winner will be named “the most innovative new company” at RSA Conference 2007 and be promoted on the RSA Conference 2007 Web site and in a follow-on press release, and also be provided two individual face-to-face meetings with members of the judging panel after the conference (subject to availability).

To nominate your company as a candidate for the Innovation Station, please visit www.rsaconference.com/2007/us/expo/additional/innovation/.

Nominations will close Friday, Dec. 8, at 5 p.m. PDT.

Bookmark to: