The long arm of the law stretches
Over the past couple of years, outrage from customers and clients victimised by these schemes has spurred legislation at federal and state levels. New laws, including the Gramm-Leach-Bliley Act, Sarbanes-Oxley Act, Health Insurance Portability and Accountability Act (HIPAA) and California's Database Protection Act of 2003, have made companies legally responsible for protecting individuals' personal information housed in their databases.
What leaks
The Ponemon Institute's data security study asked respondents what type of leaks they'd suffered. Because respondents could cite more than one category per incident, the percentages don't total 100.
- 22 percent of leaks involved customers' personal data.
- 10 percent involved workers' personal data.
- 39 percent disclosed confidential business data.
- 14 percent leaked intellectual property, including software code.
- 16 percent: "Other".
While protecting personal information has become an important legal issue for companies, other sensitive information, such as intellectual property, leaked by insiders to competitors or to the public, can also have devastating financial consequences. The problem has become even more important as companies, particularly those in technology, increasingly outsource work.
"A lot of these outsourced employees have access to huge amounts of sensitive data," Ponemon said. "It's easy for them to download files or print them out and put them in a briefcase and carry them outside. In places like India or Latin America, where they are paid far less than counterparts in the US, stealing information and selling it can seem like [just] another source of revenue."
Most internal security breaches aren't the result of rogue employees, but are rather the result of negligence or error. Of the internal attacks cited in Ponemon's report, about almost 40 percent occurred because well-intentioned employees inadvertently caused security problems by how they handled sensitive information. Only 30 percent were attributed to malicious employees.
"Most internal security issues are due to organisational sloppiness," he said. "These aren't bad people. They are just trying to get a job done, but they aren't considering all the consequences to their actions."
