The homepage of the Catholic Archdiocese of Seattle is the last place one might expect to see the phrase “IRS TAX FRAUD SCAM” in a bright red box. The conspicuous red box, which links to a legal notice in four languages and a letter straight from the Archbishop himself, is just one of many painful steps the Archdiocese has had to take in the week following the discovery of a data breach. The breach exposed social security numbers and other sensitive personal information of some of the Archdiocese’s 90,000 employees and volunteers.
As the bright red notice demonstrates, the Archdiocese must now fulfil mandates from the scary side of legal compliance: what to do after sensitive data has already been compromised. In some circumstances, the notice and reporting requirements, invasive legal investigations, fines, penalties, and sanctions have driven organizations into bankruptcy.
The costly effects of a data breach do not end there. Notification requirements can lead to negative media exposure and customer outrage. Expenses, both voluntary and mandatory, often include legal fees, public relations costs, extra security, and programs aimed at restoring customer goodwill (like Target’s credit monitoring program). If the Target breach is any example, blaming your organization’s contractors or service providers will do nothing to stem the tide of expenses after your sensitive data is compromised.
In data privacy compliance, an ounce of prevention is often worth a pound of cure. If your organization deals with sensitive personal data, make sure you are aware of the compliance requirements for your industry and jurisdiction. Having the right technological solutions in place to protect your data might just make the difference between profit and bankruptcy.
By Harris Buller, J.D.