Over at The Economist, there is an article, “The Leaky Corporation,” which suggests that Information Protection could be becoming a much bigger deal within most companies than it is today, driven largely by the increased attention that data security breaches are receiving from both the press and regulators.

“Data is becoming an asset which needs to be guarded as much as any other asset,” says Haim Mendelson of Stanford University’s business school. “The ability to guard customer data is the key to market value, which the board is responsible for on behalf of shareholders”. Indeed, just as there is the concept of Generally Accepted Accounting Principles (GAAP), perhaps it is time for GASP, Generally Accepted Security Practices, suggests Eli Noam of New York’s Columbia Business School. “Setting the proper investment level for security, redundancy, and recovery is a management issue, not a techie one,” he says.

Specifically, they point to the FTC’s settlement with BJ’s Wholesale Club as an example of the changing expectation for data protection within the United States

The FTC decided to settle with BJ’s Wholesale Club, a retailer whose lax data-protection practices the agency said constituted an “unfair practice that violated federal law.” The firm collected too much data, kept it too long, did not encrypt it, lacked password protections and left its wireless network open. This, in turn, enabled criminals to produce counterfeit credit and debit cards using stolen customer data and rack up millions of dollars in fraudulent charges. The firm has agreed to fix these problems and undergo information-security audits for 20 years.

Data Protection is getting increased focus among several corporate security management types I know. We’re all busily erecting or resurrecting Data Protection and Privacy efforts. Risks that were once deemed acceptable without any actual Risk Analysis are now being called into question.

This is a Good Thing. If it’s on the minds of The Economist’s readers, that means that Management is waking up to the importance of paying attention to this stuff. While as a general rule I never wish misfortune on anyone, I’m not unwilling to leverage their misfortune for the common good.

Actually, The Economist has been talking about information security for a while now. In October 2002 they even had a survey dedicated to Information Security. An excerpt from the leader to the survey ends with the following paragraph:

Anyone who has not done so already should take an interest in computer security. Unfortunately there is no single right answer to the problem. What is appropriate for a bank, for example, would be overkill for a small company. Technology is merely part of the answer, but it has an important role to play, so that is where this survey will start.

And, slowly, the corporate dinosaurs are waking to the scent of coffee.