Theft of private information, such as customer information, may have three effects:
- Lawsuits may arise when it is known that this information has been stolen. Customers may sue for damages that result from the use of this confidential information.
- Regulators in some countries may be empowered to take criminal and civil
action against a company that suffers such a breach. The European Union,
for example, requires that “Member States shall provide that the controller
must implement appropriate technical and organizational measures to protect
personal data against accidental or unlawful destruction or accidental
loss, alteration, unauthorized disclosure or access, in particular where the
processing involves the transmission of data over a network, and against all
other unlawful forms of processing.”3
Other political entities have similar laws that require the safeguarding of information from destruction or breach.
- Customers may refuse to do business with a company that allows such a theft of private information. It is reasonable to assume that a customer would not want to continue to do business with a company that has not taken adequate care to safeguard private information.
Reasons for Data Loss
As one might expect, there are many reasons why a corporation might lose important
data. Broadly, they can be broken into the following categories:
- Disasters
- Security breaches
- Accidents or unintended user action
- System failure
Some data protection techniques can be applied to all these causes of data loss; others are better used for specific categories.
DISASTERS Disasters are the classic data-loss scenario. Floods, earthquakes, hurricanes, and terrorists can destroy computer systems (and the data housed on them) while destroying the facilities they are kept in. All disasters are unpredictable and may not behave as forecast. The goal of data protection is to create an environment that shields against all types of disasters. What makes this difficult is that it is hard to predict what type of disaster to guard against, and it is too costly to guard against all of them. Companies guard against the disasters most likely to occur, though that is not always good enough. Until just a few years ago, most U.S. companies did not take into account terrorism when planning for disasters.
There are two classes of disasters: natural and manmade. Natural disasters are often large in scope, affecting entire regions. Earthquakes and hurricanes, with their ability to do widespread damage to infrastructure, are especially worrisome; they rarely provide enough time to develop a plan for data protection if one is not already in place. After the disaster begins, it is too late to try to save data.
Manmade disasters are often more localized and generally create much less damage. Fires are the most common manmade disaster, although many other manmade incidents can cause data loss, too. The worse manmade disaster resulting in widespread loss of data (and life) was the September 11, 2001, terrorist attack on the World Trade Center in New York City. The destruction of key computer systems and the harm that it wrought to the economy of the United States led the U.S. Securities and Exchange Commission and the Comptroller of the Currency to jointly issue policies4 requiring that data be adequately protected against regional disasters.