Repeated cyberattacks over the last two weeks have left Sony the latest victim of a data loss and theft epidemic that has swelled to epic proportions. With the news that personal information belonging to more than 100 million users of its PlayStation Network, Qirocity, and Sony Online Entertainment services has been stolen in what amounts to one of the largest online data breaches to date, we are again reminded that the scourge of cybercrime continues to create significant legal, reputational, and bottom-line liabilities for companies that are vulnerable to attack and unprepared to deal with the fallout.
Worse yet, a 2010 survey of corporate directors and executives authored by Carnegie Mellon University and Jody R. Westby, CEO of Global Cyber Risk LLC, reveals a stunning disconnect between consumers who are increasingly concerned about data breaches and the boards that are ultimately responsible for preventing them.
According to the survey, not a single respondent reported that improving data security is among their boards' top three priorities. Only six percent of respondents reported that their boards have an IT or data security committee. More than half of the respondents (53 percent) reported that their companies do not employ a Chief Information Security Officer. And only 26 percent reported that their boards receive reports from senior data security managers.
Given all that today's boards of directors are responsible for, it's not altogether surprising that data security is slipping through the cracks. But at a time when identity theft topped the U.S. Federal Trade Commission's (FTC) consumer complaint list for the 11th consecutive year in 2010, it seems that the issue is certainly worthy of directors' attention. Absent boardroom leadership on data security, the epidemic will only worsen and more and more companies will continue to fall short of public expectations when responding to ever-larger breaches of sensitive consumer information.
Sony's actions since discovering that its networks had fallen prey to cybercriminals provide a case in point. Like so many other companies that have confronted similar data loss situations, Sony waited almost a week before informing stakeholders of the first breach. According to published reports, much of that time was spent determining the cause, nature, and scope of the problem. But such probity at least needs to be balanced with a sense of how delays between detection and disclosure stoke the anxieties of consumers, lawmakers, regulators, and investors.
In this instance, Sony's delay inspired Senator Richard Blumenthal (D-CT) to say that "the facts show Sony purposely deceived people and misled them before it has now finally begun coming clean." Blumenthal has also called on Sony to pay for monitoring services that would enable affected consumers to keep a close eye on their credit. Compounding matters, gamers called for a Sony boycott and Sony shares tumbled three percent on Wall Street. A post to the PlayStation Network blog summed up consumers' sentiments: "If you have compromised my credit information, you will never receive it again."
Today, most people understand that they have traded a certain degree of privacy for the conveniences of the Digital Age. But at the same time, they also expect those they trust with their personal data to act responsibly when problems arise. More than anything else, that means acting as quickly as possible to empower consumers with the information they need to protect themselves from the cascading impacts of compromised personal information.
Contrast Sony's response to that of Heartland Payment Systems when it experienced what was, at the time, the largest data breach in American history. Within three days of the incident, the company reached out to more than 150,000 retail customers to inform them of the scope of the problem and the protective steps they could take moving forward.
Led by Heartland CEO Robert Carr, the company initiated an unprecedented communications effort that not only protected consumer relationships, but also made each subsequent step in the recovery process all the more credible. As a result, crisis was transformed into an opportunity as Heartland worked with competitors and drove industry-wide reforms that secured its leadership position in the ongoing battle against cybercrime.
Of course, a response in line with the Heartland model simply isn't possible without prescient planning. And, in turn, such preparation simply isn't possible without a mandate from the both the boardroom and the C-Suite that data breach detection, analysis, and rapid response measures be put in place.
That's why it is incumbent on boards to recruit data security expertise — and prioritize putting such expertise to work — not only to prevent future incidents; but also to develop effective reputation-protection programs should a breach occur. The speed with which the marketplace expects an organization to react to a data loss demands that policies and procedures be put in place far in advance.
To achieve that level of preparedness, directors must first recognize their role in protecting consumers' sensitive information and then seize every opportunity to fulfill that responsibility to the fullest.
Richard S. Levick, Esq., is the president and chief executive officer of Levick Strategic Communications, a crisis and public affairs communications firm. He is the co-author of The Communicators: Leadership in the Age of Crisis and Stop the Presses: The Crisis & Litigation PR Desk Reference , and writes for Bulletproofblog. Mr. Levick is on the prestigious list of "The 100 Most Influential People in the Boardroom," which is compiled by the NACD and Directorship Magazine. Reach him at firstname.lastname@example.org.