I didn’t until today.
Data Breach protection software has entered the realm of commodity now (just ask anyone that bought disk encryption software in 2007 and bought some more in 2009 to see the difference in price). You can use two other measures to check how mainstream this stuff is now: 1. Government talks about it and doesn’t sound like your Dad musing on Lady GaGa 2. You can buy breach insurance.
The link represents a buyer’s guide, which means there are learned people with opinions on it, and undoubtedly conferences in hotels on the outskirts of Kettering. Now, I am being slightly disingenuous. The link refers to a US company and the US landscape, and I’m not aware of the same being over here. Yet. It’s probably just a matter of time though if the normal pattern of things occur. So the question is, is the best insurance lobbing more software at the topic? Clearly with my evil Vendor hat on, the answer is….erm, no actually
Let’s be realistic. Software is the safety net of last resort. Once you have put the education and processes in place, software is designed to stop the stupid and the accidental. It can’t stop the deliberate and the malicious, and one has to assume that the insurance has similar limitations.
So what to do? You can bet your bottom dollar that the insurance company will demand certain procedural / software standards (try insuring your house and tell them you don’t have locks on your doors…) so what’s the insurance for then? It’s to pay off the fines.
The problem is that we don’t have fines really in this country. Yep, the FSA has some pointy sticks, and the ICO has a bag of rotten tomatoes, but frankly, barely a day goes by without there being a data breach, and all that happens is wagging fingers. There is clearly a set of politics in the background, but to my mind, fines need to be bigger, more public and more frequent before changes start to happen. I never thought I’d find myself as an advocate of the world of the insurance broker, but breach insurance is symptomatic of a market taking the problem seriously.
The message: start thumping the desk more often and louder please ICO. When this is being taken seriously, we can measure it by the insurance industry offering policies on it. Because right now, organisations don’t see a proper threat beyond the pain of the actual loss, and will continue to act accordingly.