Breaches Are Just Part Of Doing Business - Not Really

Have we gotten to the point where someone losing our data does not affect us anymore.  Have we reached the point where the pain of changing things is greater than our outrage at poor management of our personal information?

 I read an article by Elinor Mills, “Why 'data breach' isn't a dirty word anymore”, in a CNET (blog) - ‎Mar 26, 2012‎. Her first sentence was, “Contrary to popular belief, data breaches don't necessarily sink a company, studies and survivors indicate.”  While it is an interesting article it overlooks several things I believe need to be considered. 

The example of the Heartland Payment Systems is interesting in that it is not a direct to the consumer business.  They provide businesses with the system to handle credit and debit card transactions.  The customers of Heartland could switch to a different processing company but that requires some serious thought and consideration.  Additionally the Heartland customers are not directly feeling the effects of the breach.  They are not being sued.  Their names are not being bandied about in the press so there is limited impact on them.

For the Heartland it means that they must fix the problem and show the customers that they are taking the correct steps keep it from happening again. It also means that Heartland has to defend itself from all of the different laws suits that will be filed.  Yes I know that one of the suits was dismissed but there are still the costs of the lawyers to defend against it.  If you take the costs of the lawyers and the fixes that need to be made to the systems, you will find that it could have been done for so much less if someone had analyzed the process, detected the flaws, and applied the fixes that were needed in the first place.

Breaches do not need to happen. They happen because someone did not takes the steps to make the system right, use the system right, or protect the data.