Data loss – the dreaded. Give me anything but data loss. We’ve just had a power failure and I forgot to click Save. Sure, I lost only 15 minutes but still, I’ll never get it back. Lucky for me this is nothing compared to the real data loss of companies worldwide: 1.7 trillion US dollars’ worth of data lost in 2014 alone. Just as one thinks the age of Cloud storage and Big Data brings with it more redundancy to prevent such losses, the EMC® Global Data Protection Index showed that less than half of enterprises were doing something about it.
Defining data loss
Wikipedia helps us understand “data loss” a bit better. Data loss incidents can be differentiated as intentional and unintentional action. I intentionally made a cup of coffee (because I needed one) but I unintentionally spilt it on my laptop (and deeply regretted it). Then there’s failure, disaster, and crime: failure has to do with your supporting resources drying up, like electricity or the consistent correct functioning of the software; disasters occur when the elements unexpectedly overwhelm your situation; and crime will affect you when an unlawful act invades your system, like sabotage, a malware infection, and the theft of any physical components.
The latest Annual Incidents Reports of September 2014 by ENISA made some interesting findings on problems with information security in governments across Europe. They have calculated the distribution of “Severe outages” by the root causes mentioned above:
- Unintentional action (human error) at 20%
- Failure (system failure) at 66%
- Disaster (natural phenomena) at 5%
- Crime (malicious action) at 9%
It is clear that more can be done about system failures, which is after all the most manageable of all the causes.
Counting the cost
The EMC report also showed that, although the number of data loss incidents is decreasing, the amount of data lost has increased by 400%. This means that the impact of a data loss is more severe resulting in consequences can be crippling to your business when you’re asked to pay up as punishment or causing your revenue stream to get cut off:
Fines. Principle 7 of the UK’s Data Protection Act requires that, “Appropriate technical and organisational measures… be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” Failure to do so will invoke Principle 6 which allows aggrieved individuals to claim compensation. For instance, the ICO instituted damages worth 325 000 pounds (more than 500 000 USD) on Brighton & Sussex University Hospitals NHS Trust in 2012. These types of fines can go as high as 500 000.
Loss of revenue. Out of 3300 enterprises surveyed globally, 36% experienced a loss of revenue and 34% had delayed product development. More specifically, large organisations in the UK lost 3.14 million pounds (almost 5 million USD) in 2014/2015 due to breaches in data security alone.
Damage to reputation. Companies that fail to satisfy the public that their money and information is secure, will inevitably suffer as a result. PWC recently noted that online retailers are losing the trust battle compared to banks. Worst still, are social media companies – managing to garner only 15% of public confidence.
Jail time looming. With the cost of data loss increasing, certain groups are advocating for more severe punishments to encourage CEOs to be more vigilant about implement data security measures. A Websense survey shows that 16% of respondents believed imprisonment for CEOs or board members to be necessary in the event of a significant data loss.
I wouldn’t worry about going to the pound just yet, but the writing’s on the wall: the data protection industry is evolving. Corporations are becoming more aware and innovators and legislators are trying to plug the security loopholes. It’s a good time to be part of the solution – if you’re on board, it might just save your business in the long run.