As we continue our discussion on building a data security practice, let’s continue our focus on the fiscal aspects. Given that there are multiple information security strategies available, what are the unique financial benefits for implementing data security?
In the previous post, The Business Value of Protecting Data, we discussed direct cost and indirect profit loss by examining the publicly disclosed expenses of a real-world data breach and the subsequent year’s change in profit—the latter we speculated was primarily due to reputation damage from that breach. Note in this case the profit loss approximated double one order of magnitude (twenty times) the direct cost of the breach itself.
We also asked a question, is there further business value to implementing a data security practice? Will doing so help an organization earn more profit? Of course the answer is yes—this is a marketing blog after all—and we demonstrate how and why in today’s post.
Let’s discuss three examples of high business value use cases made possible by implementing a data security practice: prescription abuse prevention, sales expense reduction, and new revenue generation. All three of these practices have resulted in more profit at multiple customers, so let’s summarize them here.
The first high-value use case is prescription abuse prevention. This use case involves sending protected data to a third party that runs data analytics to identify potential abuse. Using the result set, the data custodian, in this case a health insurance company, can determine the actual identity of the endangered patient.
How does this work in practice? Say a patient goes to five different doctors, obtains five different prescriptions for opioids, and fulfills them at five different pharmacies within a few hours of each other. Not only is this abuse, it’s also life threatening: over-medication often leads to death.
With manual methods, it takes about six weeks to catch this kind of abuse. With data analytics, detection happens the same day. Yet without data protection, the custodian could not export prescription fulfillment records to a third party performing abuse analytics without violating the patient privacy provisions of the Health Insurance Portability and Accountability Act (HIPPA).
The next high-value use case is sales expense reduction. Most retailers run multiple fulfillment channels: in-store, on-line, and via telephone. Different campaigns, products, and promotions net different results for each of these channels. Yet how can we tell which combination of these various factors works best for sales in each of these channels?
This solution also relies on data analytics: the data custodian, in this case a retailer, exports protected data to a third-party firm that performs 360° marketing program optimization, determining what methods are the most efficient. Without data protection, however, the custodian would be exposed to multiple dangers.
One danger comes, as we might expect, from violating privacy policies when sales transactions are involved. Perhaps more importantly, another danger comes from sharing live customer and sales records with a third party and risking exposure of that data to a competitor. Or even worse, a subsidiary of that third party in competition with us.
The final high-value use case is new revenue generation. This involves the use of data security to collect payment data from applications. Without data security, any company charging a credit card is in violation of the Data Security Standard requirements established by the PCI Security Standards Council. Violation of these requirements does result in substantial fines and, in some cases, barring from the payments industry.
The solution involves using data security to protect payments from web and mobile applications. Airlines, for example, use payment security in a mobile application to collect bag and ticket fees. This use case is widespread, and most likely you participate in multiple payment transactions requiring data security several times each week.
All of the fiscal benefits we’ve mentioned in this and a previous post rely on building a data security practice. No other information security strategy, including access control, storage security, and transport security, can provide these benefits.
At this point, you might be asking if there is a technical reason why this is true. The answer is again yes, of course, and we’ll discuss why in our next post on the data protection stack.
Meanwhile, what are your thoughts on the business value of implementing a data security practice? Have you worked for an organization that was burned for not having sufficient data security? Have you survived a security breach where the data was protected?
Or do you have thoughts on other high-value business use cases requiring data security? Please leave your thoughts in the comment section. We’d be glad to hear from you!
Data security and encryption