Information provides almost every organization with its competitive advantage. From financial firms with proprietary trading strategies to e-commerce behemoths with confidential models of consumer behavior, information provides the key ingredient that allows most firms to differentiate themselves from their competitors. Securing that information is paramount to a company’s success. Loss of that information can lead to a company’s decrease in market share and reduced profits.

Case study. The 1971 Data General Corporation v. Digital Computer Controls, Inc. case is an example of insufficiently secured trade secrets and the penalties for misappropriating them.

Upon request, Data General Corporation would provide customers with the design documents for its Nova 1200 computer system. This was done to allow customers to maintain and repair their own computer systems. The drawings were marked as confidential, and customers signed a confidentiality agreement when they received the documents.

The president of Digital Computer Controls purchased a used Nova 1200 through a third party in March of 1971. Digital Computer Controls requested the design documents as part of the purchase and were supplied with a copy from the seller. Digital Computer Controls then developed the D-116 minicomputer from the design drawings, ignoring the annotation on the drawings that they could not be used to manufacture similar items without written permission.

Data General Corporation eventually won a permanent injunction barring Digital Computer Controls from selling the D-116, but it took 5 years. During that time, Digital Computer Controls sold many D-116 computers and had time to develop its next system.

A lot of information that a corporation collects is legally protected sensitive information— for example, PII, financial information, and in some industries, classified government documents. Although this information might not have an intrinsic value, there are severe penalties for improper disclosure, both official and in the market. The following are some examples of what a company faces for improperly disclosing information.

Below are penalties for disclosing medical/patient information in violation of the Health Insurance Portability and Accountability Act (HIPAA):

• Unknowingly disclosed—$100 per violation or record affected
• Reasonable cause to disclose—$1,000 per violation or record affected
• Disclosure due to willful negligence situation that is corrected—$10,000 per violation or record affected
• Disclosure due to willful negligence that is not corrected—$50,000 per violation or record affected
• Disclosure due to criminal intent—up to $250,000 and 10 years in jail

These HIPAA fines can be substantial when many records are involved. The maximum fine that may be assessed for a HIPAA violation is $1,500,000 per year that the violation occurred.

Organizations involved in credit card transaction processing must comply with the Payment Card Industry Data Security Standard (PCI DSS). This contractual obligation requires that companies comply with a rigid set of security controls, including specific provisions surrounding access controls. Organizations that fail to comply with PCI DSS are subject to fines that may range up to $200,000 or more per quarter.

In addition to these financial penalties, organizations that suffer data breaches also often suffer reputational damage that is more difficult to quantify. Consumers who know that a company has suffered one or more data breaches may be less likely to trust that organization with their personal information and may choose to take their business elsewhere.