The reality is that any company that maintains electronic employee job applications and personnel files or that routinely collects and processes consumer credit applications is in possession of personally identifiable information (PII), whose unauthorized disclosure may trigger state breach-notification laws. As recently highlighted by the White House, the current state breach-notification laws can impose substantial complexity and expense. Even the most innocuous breach can require investigation and response costs and draw the scrutiny of state and federal regulators. A classic example is the laptop computer containing unencrypted personnel files that is left in the back of a taxicab. The likelihood that the data on the computer will ever be used for identity theft or other financial fraud may be relatively low, but in most instances that will not excuse the company from providing notice to the affected employees and, in many states, the state attorney general. Notice of the "breach" may then result in broader inquiry by regulators into the company's cybersecurity generally. The cost of simply investigating and giving notice can be significant. The White House proposal to have a single national standard is a step in the right direction but will reduce these costs only at the margins. Most of these costs are driven by the basic policy decision that a breach threatening the security of individuals' PII should be publicly disclosed and subject to investigation in the discretion of the state and federal regulators. Unless and until that basic determination changes, even minor breaches can cause big disruptions.
In short, cybersecurity is a real concern for almost all businesses. Some of these issues may be driven by overbroad government regulations, or by overcautious commercial partners, rather than the reality of a company's actual security requirements. Admittedly, the expense and disruption of implementing these cybersecurity standards may be frustrating for cost-conscious executives, but the downside risk in litigation, business disruption and loss of competitive position for most companies will at least in the aggregate far outweigh the burden of compliance.
Sign up for CIO Asia eNewsletters.