Dos and Don’ts of Data Breach and Information Security Policy

Privacy and Security

Article Snapshot


Martin Abrams, Paula Bruening, Fred H. Cate and Orson Swindle


Published by the Center for Information Policy Leadership, 2009


This paper lists the authors’ top ten recommendations on how to handle the escalating number of data breaches.

Policy Relevance

As the number of data breaches continues to rise each year, the public pressure for governmental action has also increased. However, it would be a mistake for policy makers to either confuse the issue with the separate problem of identity theft or to overcorrect and impose notice requirements for every potential breach.

Main Points

  • Both private corporations and governmental entities gather large amounts of data records about individuals for different uses. When the security protecting these databases is breached by illegal conduct, those records can be exposed to third parties who can use individual’s private information for their own gain.
  • In recent years, the number of data breaches has consistently increased, with a total of 1,572 breaches being reported between 2005 and 2008 in the United States. In total, these breaches have exposed more than 247 million records containing personal data.
  • In response, multiple governments have begun to take action in order to both prevent future breaches and to protect individuals whose information has been accessed. To this end, there are ten specific dos and don’ts that should be considered when creating new policy.
    • Don’t equate data breaches with identity fraud or other consumer harms.
    • Don’t become so preoccupied on data breaches that you lose sight of other, far more serious, security risks.
    • Don’t count the cost of poor security just in economic harm to individual consumers or businesses.
    • Don’t trivialize breach notices by requiring them when there is no reasonable risk of harm.
    • Don’t go it alone.
    • Do take data security seriously.
    • Do create incentives for good behavior.
    • Do collaborate to succeed.
    • Do anticipate, don’t just react, to threats.
    • Do be realistic.
  • Incorporating these recommendations into future policy decisions will allow for a more realistic view of information security threats and the potential solutions. However, it should be noted that new threats will continue to develop and keeping up with the pace of developing security threats will require substantial investment, constant reevaluation of tactics and strategies, and substantial commitment.


Get The Article

Find the full article online

Search for Full Article