Data breaches: Are they good for business?
January 29, 2015
We have all read the stories: a large retail store has a data breach, a large home improvement store has a breach, a large U.S. post office has a breach, a large motion picture company has been hacked, and this list goes on and on. Nowadays, data breach news stories are almost passed over by consumers because they happen so frequently. Nobody really pays attention to them unless they are directly impacted. And, even then most people have an “Oh well, it’s not really a surprise” attitude about them. But, are these breaches good for your business? They should be.
If the staff of your organization is educated in the importance of really protecting data, then it is likely you have seen an uptick in your revenue as a direct result. Regardless of whether you are in the records management business (protection of information) or the document destruction business (proper disposition of information), or your company happens to do both, if compliance is used as an integral part of your sales process, then you likely have seen some good (and related) growth. If you haven’t seen growth in your business, then it doesn’t necessarily mean that your sales staff is undereducated. It merely means that, positioned properly, you can in fact grow your business as a direct result of some well publicized data breaches.
Here are some questions to ask yourself in regards to your sales staff. Does my sales staff:
- Know the damage that the bad publicity as a result of a breach can cause? If not, then they would likely have a hard time convincing a prospect of this.
- Know the costs of the associated legal fees? If not, then they would likely have a hard time convincing a prospect of this.
- Know that each state’s attorney general (SAG) is now financially incentivized to investigate all HIPAA complaints? Know that the lion’s share of the fines and penalties (the SAG’s incentive) recovered largely stays within that state? This is why they will go after companies that cause breaches. If not, then they would likely have a hard time convincing a prospect to trust you and use your services. Why? Because they may be unable to convince other people that your company truly knows the laws, that your company knows how to protect themselves from data breaches as much as possible, that the company’s employees have been properly trained, and they know and understand the responsibilities and potential liabilities for failing to do so.
- Know your state’s requirements (or federal requirements, whichever applies) for record retention? If not, then they will likely have a hard time convincing prospects to choose you.
- Know that shredding has repeatedly been stated as a proper form of disposition of information? If not, then it is unlikely that they will be able to convince a prospect that shredding is important.
- Know how to intelligently speak of an incident response plan that should be in place at every company? If not, then it is unlikely that they will be able to convince a prospect of this.
The reason that I bring up the incident response plan is this: I have been asked to do a session about it at the NAID 2015 Annual Conference coming up in March. It will be held in Grapevine, Texas. Look me up in Texas in my session, “How to Create an Incident Reporting Process” on Friday, March 20 at 3 p.m.