We all have been hearing and reading about how confidential data can be at risk. Well, a brand new U.S. survey by the Ponemon Institute, sponsored by Vontu, and exclusively provided first to your author, really drives this point home.
For example, 81% of companies and governmental entities report that they have experienced one or more lost or missing laptops containing confidential business information within the last 12 months. Is your reading appetite whetted yet? Stay with me and read on.
The survey, aptly titled "Confidential Data at Risk," concludes that "a primary reason corporate data security breaches occur is because companies do not know where their sensitive or confidential business information resides within the network or enterprise systems." The survey goes on to summarize that "this lack of knowledge coupled with insufficient controls over data stores" poses "a serious threat for both business and governmental organizations."
So how did the survey come to reach these conclusions? The survey queried 484 information technology departments within U.S.-based corporate and governmental organizations. The answers to the survey questions paint a fairly bleak current picture.
As mentioned, 81% of respondents report lost or missing laptops containing sensitive information within the past 12 months. On top of that, only 10% affirmatively state that they have not had this occur, as 9% just don't know.
The corporate and governmental respondents generally agreed that electronic storage devices contain unprotected sensitive or confidential information, with 60% stating this to be the case for PDAs and other mobile devices, 59% for laptops, 53% for USB memory sticks, 36% for desktops and 35% for shared file servers.
Disturbing is the fact that when asked how long it would take to determine what actual sensitive data was on a lost or stolen laptop, desktop, file server or mobile device, the most common answer was "never."
Unfortunately as it turns out, this is not entirely surprising, given that 64% of respondents concede that their companies never have conducted a data inventory to determine the location of customer or employee information contained in various data stores.
Along these lines, 49% of respondents admit that business confidential information never has been inventoried as part of usual information technology control processes, and 48% state the same with respect to organizational intellectual property.
Wake up America - this is unacceptable!
All prudent steps must be taken in this day and age to account for and protect confidential data. The failure to take such steps can compromise the privacy of innocent employees and customers, can jeopardize valued business relationships, can lead to an organization's crown jewels - its intellectual property - walking out the door, and can cause legal liability.
Hopefully, the next time such a survey is conducted, the results will be much improved based on dedicated efforts by U.S. companies and governmental organizations.
Eric Sinrod is a partner in the San Francisco office of Duane Morris LLP where he focuses on litigation matters of various types, including information technology and intellectual property disputes. His Website is http://www.sinrodlaw.com and he can be reached at [email protected]. To receive a weekly email link to Mr. Sinrod's columns, please send an email to him with Subscribe in the Subject line.
This column is prepared and published for informational purposes only and should not be construed as legal advice. The views expressed in this column are those of the author and do not necessarily reflect the views of the author's law firm or its individual partners.