United States: Perspective: Fiddling While Rome Burned

A just-released report provided first to this columnist, prepared by the Ponemon Institute, and sponsored by PortAuthority Technologies paints a bleak picture. The results of the report were compiled from a survey of 850 security practitioners and centered on how they deal with detection and prevention of data breaches within their U.S. companies.

While there is a heightened focus on data security, the new findings suggest that data security continues to present serious challenges to the business world. Even though a majority of the surveyed companies believe that they can detect data breaches, an even larger percentage--63 percent--acknowledge they can't do anything to prevent the attacks. Many say they are affected by high false-positive rates of up to 35 percent, an operational shortcoming that affects their ability to detect intrusions.

Just as troubling is the fact that 41 percent of the surveyed companies do not believe that they are effective at enforcing their data security policies. The No. 1 reason cited for failed enforcement: lack of resources. This is unacceptable; data security is not the place to be penny-wise and pound-foolish. Wouldn't it be much better to plan and spend for prevention than to grapple with the burden and larger expense of a breach after the fact?

The report found that companies are likely to detect both large and small data breaches, but the detection rates still are too low. Better technological methods must be employed to ascertain breaches as soon as they happen, so they can be stopped and damage can be minimized.

Then, there is the minority--some 16 percent of the surveyed companies--who think they lead a charmed existence and are invulnerable to data breaches. They either are naive or doing something very right that others should study.

Among companies that choose not to use leak prevention technologies, cost is the big issue. About one-third say that such technologies simply are too expensive. You can see the looming contradiction. Effective data security may not be the primary mission at most companies, but it soars to the top of the corporate agenda when defenses fail.

The question is whether U.S. companies are ready to make the necessary commitment to fix the system. Failing that, are they at least ready to get ready?

Eric J. Sinrod is a partner in the San Francisco office of Duane Morris. His focus includes information technology and intellectual property disputes. To receive his weekly columns, send an e-mail to ejsinrod@duanemorris.com with "Subscribe" in the subject line. The views expressed in this column do not necessarily reflect those of Sinrod's law firm or its individual partners.

This article is for general information and does not include full legal analysis of the matters presented. It should not be construed or relied upon as legal advice or legal opinion on any specific facts or circumstances. The description of the results of any specific case or transaction contained herein does not mean or suggest that similar results can or could be obtained in any other matter. Each legal matter should be considered to be unique and subject to varying results. The invitation to contact the authors or attorneys in our firm is not a solicitation to provide professional services and should not be construed as a statement as to any availability to perform legal services in any jurisdiction in which such attorney is not permitted to practice.

Duane Morris LLP, among the 100 largest law firms in the United States, is a full-service firm of more than 600 lawyers. In addition to legal services, Duane Morris has independent affiliates employing approximately 100 professionals engaged in other disciplines. With offices in major markets, and as part of an international network of independent law firms, Duane Morris represents clients across the nation and around the world.