Is PCI Compliance Enough?

CIO Magazine recently ran an insightful article about PCI compliance. The article emphasizes that PCI “compliance” is a credit card industry minimum set of standards to protect data and to minimize data breaches. However, as the numerous data breaches over the past year attest, something appears wrong.

Yes, something is wrong. First, cybercriminals possess a level of sophistication that most businesses simply do not comprehend. Professional cybercriminal networks and state actors launched the recent data breaches—not a couple of teenage “hackers.” Second, businesses must understand that data itself, not just credit card numbers, has significant value in a well-developed, global market for data. Medical information, address information, employment information, legal information, company trade secrets, intellectual property, business acquisitions, financials, manufacturing systems, geolocation information, CAD drawings, etc. all have marketable value.

Once the sophistication and capabilities of the cybercriminals are understood, businesses must then understand that just adherence to minimum industry “compliance” standards no longer adequately protect company reputation, company property, or customer data. As I noted earlier this year, shareholder lawsuits against officers and board members loom. Unfortunately, a company will soon be the poster child for such suits. With high-profile companies losing millions in sales after data breaches, boards and officers have a defined duty to protect the company and its data and systems assets. (Target’s profits fell by about 40% or $441 million.)

Addressing Data Security, Cybersecurity, and Data Breach Issues for Business—A New Paradigm

But another issue often goes overlooked. Businesses continue to myopically view data breaches as simply a technical or IT issue. Thus, business leadership (and even many attorneys unfamiliar with technology) might simply require the “IT people” to come up with a data policy, implement that policy, and monitor that policy. The problems with such an approach should be evident—and recent events should show that this strategy does not work.

Businesses must adopt a new paradigm for addressing cybersecurity, data breach, and data protection issues.

  1. Data breaches and data protection are legal (including compliance), business, financial, and technical issues for a company. Thus, all elements must be directly involved in any policy-making, procedures, and implementation programs.
  2. Simply delegating the issues to an IT department provides a recipe for failure—not because IT lacks professionalism or skill, but because this is not an IT problem alone.
  3. Simply relying on a minimal “industry standard” might not be enough to protect a business from the spectrum of threats and duties—financially, reputation-wise, procedurally, legally, or legal-compliance-wise.
  4. Businesses should seek legal help with developing proactive policies and procedures to handle data retention, legal compliance, data breach preparedness, data breach response, eDiscovery, and cybersecurity incidents.  Legal counsel can advise board and officers on compliance issues and the sufficiency of an organization’s efforts.
  5. Businesses may increasingly need to consider cybersecurity insurance to help cover the costs of data breaches.
  6. Auditing should be done by outside legal counsel (lawyers) because only legal counsel can confidentially advise an organization on the legal sufficiency of cybersecurity, data security, data retention, disaster recovery, or data breach programs. (And increasingly, the protection of confidentiality may become very important in litigation.)