Chris Hoofnagle, a senior fellow with the Berkeley Center for Law & Technology, said security breach notification laws have put data security “on the balance sheet.”
“There desperately needed to be metrics for ROI in security,” Hoofnagle said. “It was really easy to stay out of the newspapers prior to the California law, and now it’s impossible.”
“Some of the CIOs I talk to, when they’re trying to justify a security investment, I will make a fake press release with the name of their company at the top of it, with a headline that says the company has lost 1 million records and the FTC is set to investigate. It’s to convey that security breaches are now unacceptable.”
However, Hoofnagle said he was surprised that the costs of data breaches are rising. He assumed companies would see high up-front costs that would decline over time as they develop processes and acquire products for dealing with the issue.
“It could be that companies are just now becoming conscious of it,” Hoofnagle said. “I’ve found that it’s not uncommon, as a privacy consultant, to visit a client and find that they do not know about an important privacy law that they need to comply with.”