The Hannaford chain likely will see in its legal expenses soar after a recent federal appeals court decision related to a 2007 data breach. The ruling allows a class-action lawsuit against Hannaford to proceed. Victims are seeking compensation for the measures they took to protect themselves from identity theft and fraud after perpetrators pilfered 4.2 million credit and debit card numbers.
Hackers target small businesses as well, noted Dandini, who said The Hartford has seen so much demand for data breach insurance for smaller companies that it recently launched a product especially for that market.
Hackers realize that "so much of our economy right now is made up of small businesses," he explained. "They may have to hit five or six small businesses to get the same take, but it will be easier than hitting one large one."
Often, these smaller firms lack the capital needed to shore up their systems against attacks, explained Dandini. For business both small and large, CFOs now are finding themselves with fiduciary responsibility in data-protection cases. And nowhere is this clearer than in U.S. government legislation such as the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act, along with various state regulations, he said.
The requirements range from the simple protection of people's medical records to guarding the unique and proprietary trademark material for which companies are responsible. Any time "a company gets hit because they didn't have adequate protections," the case can make its way to the boardroom, said Dandini.
Ensuring that a business has proper IT defenses requires CFOs to work closely with CIOs on capital investments, among other things. And when CIOs bring up IT security spending, Dandini said, CFOs "understand that they're investing dollars to not have to spend dollars somewhere else." The CIO's task is to explain how the investment ultimately will save the organization money, and how the enterprise must avoid "granular IT-speak about the applications and [instead] spend the time talking about impact to business."
Further, finance chiefs must listen to CIOs when they press the case "to understand [that] we may spend $500,000 for some IT that protects us," by pointing out the costs and other ramifications of failing to spend the funds, and putting the potential loss in a larger context.
"If we don't have that, the likelihood of an event happening would be two or three times more likely, and that could cost $2 million," instead of a much smaller amount, said Dandini. "A lot of mistakes CIOs made in the past [involved focusing] on the technical aspects of the things that [they] were purchasing," and the possibility of gain "wasn't as meaningful as .... the consequences" of loss.
Sign up for Computerworld eNewsletters.