The New York Times today posted an article regarding the web site WikiLeaks' recent threats to expose information that it has obtained regarding the internal workings of a major U.S. bank. [The article may be found here: NYT WikiLeaks Article] It is widely believed (although it is not confirmed) that the bank in question is Bank of America. The article discusses some of the actions being taken by BoA to insulate itself or at least mitigate any damage from the exposure of sensitive internal data.
There are two instructive lessons that are highlighted by this story. First: the fact that many such leaks of companies' sensitive information come as a result of internal leaks (or at least internal carelessness) as opposed to hacks from the outside. This ever-present threat makes clear the need for any company dealing with sensitive information to ensure that it has not only good computer security, both internally and externally, but that it also has good policies, procedures, and controls in place for the internal handling of sensitive information. Such policies can help compartmentalize access to sensitive data, making leaks or losses less likely. It can also limit the scope and impact of any such leaks or losses. Perhaps just as importantly, it also can make identifying the source of a leak or loss easier, helping to prevent future incidents and to deal with a current one.
The second point that this story raises (implicitly at least), is the incredible cost that a company may incur in dealing with data loss or data breach issues. BoA is bringing to bear staff from multiple departments (accounting, legal, and IT, just to name a few), as well as outside consultants, just to deal with the possibility that the data in question is theirs. Much of the expense and difficulty facing BoA could have been avoided, or at least minimized, by effective policies and controls in their data handling. This is a lesson for not only huge corporations but even small and medium sized businesses. Perhaps the lesson is even more acute for SMBs. BoA has the budget for dealing with a crisis of this magnitude. Does your company?
Possession of sensitive data on even a small scale can represent a significant legal liability for a business of any size. Don't let your business become road-kill on the information superhighway.
Take the time to ensure that your business has not only the tools, but the plans necessary to handle sensitive data properly and deal with circumstances where is becomes exposed.