Most companies have taken a very serious approach to developing and maintaining their data protection program in order to mitigate their compliance risks. However, there is one step that many have not addressed thoroughly – testing. Simply implementing controls is of limited value if you do not test them to make sure they are working as needed. Technical elements, like firewalls, intrusion detection systems, user authentication systems, and software integrity, are often subjected to penetration testing and red teaming. But operational and procedural elements, like incident investigation and response, data hygiene and minimization, access authorization and modification, and system backup and recovery, frequently go unevaluated. This allows unknown weaknesses to fester and unforeseen dependencies to become entrenched.

This is very dangerous in the modern data protection environment where the costs of failure continue to rise. According to the latest IBM/Ponemon Institute Cost of a Data Breach Report, the average data breach involving personal information costs approximately $146 per record compromised. Hence, compromise of a customer database containing 10,000 unique records could cost as much as $1,460,000. Similarly, Sophos reports that remediation of the average ransomware attack costs $1,448,000. In addition, new state data protection laws (such as in California and Virginia) are introducing statutory penalties of $2500 to $7500 per violation that could radically increase the costs arising from an incident.

Moreover, the costs of industrial espionage and trade secret theft can be immense for many businesses. For instance, in 2017 Waymo accused a former employee of stealing trade secrets to found his own startup company developing self-driving vehicles (which was subsequently acquired by Uber). This incident resulted in litigation between Waymo and Uber which Uber settled for $245 million and a commitment not to use any Waymo hardware or software technology in its self-driving vehicle development program.

To address this problem, we have worked with clients to develop and execute tabletop simulations to test how they manage data protection risks and incidents. These simulations are carefully tailored to account for the unique attributes of the client's business, such as their customer base, workforce, critical business partnerships, political interests, and public reputation. Tabletop simulations are an excellent opportunity to engage senior leadership of your organization with the wide array of your organization's data protection risks and liabilities by:

  • Illustrating the many different ways that security incidents can arise, such as
    • malicious insiders attempting to steal company secrets to build their own business and/or undermine your business, and
    • inadvertent errors by service providers that expose backdoors to your most valuable internal operations.
  • Showing how business decisions that appear to be unrelated to data protection can erupt into scandals that cost millions in legal fees and business losses, for example
    • New York Presbyterian Hospital was fined $2.2 million in 2016 for allowing the film crew of the TV series “NY Med” to film in their facilities, inadvertently capturing images of patients.
  • Demonstrating how managing employee relationships is vital to data protection, such as
    • the Morrison's data breach in 2013 where a single disgruntled employee exposed the sensitive personal data of over 100,000 employees, leading to a significant loss of workforce goodwill and reportedly £2.26 million in remediation costs alone (which does not include the costs of litigating a class action suit in which it ultimately prevailed at the UK Supreme Court in 2020).
  • Examining how critical business relationships (such as critical suppliers, customer influencers, and lawmakers) can be jeopardized by security incidents that expose sensitive information, examples include

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.