Second, ensure that you have adequate reporting to demonstrate compliance with these best practices. When legislation is eventually passed you will be required to demonstrate to your auditors, security assessors, and even your board that you are in compliance with it. As you develop systems to protect your data think about reporting, monitoring, and alerting.
Finally, have an emergency response procedure planned, documented and signed off so that in the event of a major data loss you take the right steps. Do not fall into the same quagmire that TJX is still struggling with. Be prepared to disclose the extent of exposure to the press, SEC, and stockholders as well as parties directly impacted.
As Lyndon B. Johnson made so clear, there are dangers in wishing for legislation to solve a problem. But, a well constructed, concise law is needed to clear up the mess that exists today in disclosure requirements for data breaches. While hope is waning that a law will be passed during this election year there will certainly be a something brought to a vote by 2009. Any effort put towards improving data protection and preparing for that legislation will pay dividends today in the form of reduced exposure and lowered risk.
Now a consultant, Richard Stiennon was most recently chief marketing officer for Fortinet, the largest privately held security vendor. Prior to that he founded and served as chief research analyst at IT-Harvest. Before IT-Harvest, he was VP of Threat Research for
He is holder of Gartner’s Thought Leadership award for 2003 and was named “One of the 50 most powerful people in Networking” by NetworkWorld magazine.