While the incident was actually related to IBM's provider of backup storage services, the company was forced to pay out remediation costs related to informing those people who had been affected and providing credit monitoring services and the like for those individuals, she said.
In that sense, companies must also require the highest security standards from their business partners, said the expert. IBM has since written stronger backup-tape handling policies into its contract with its partner as a result of the incident, and Donahue encouraged others to do the same.
Phillip Dunkelberger, chief executive at encryption software specialists PGP, said that companies are spending too much time trying to react to data incidents and the individual mandates of compliance regulations while overlooking opportunities to improve data security through smarter process control.
Many companies are still too concerned with protecting various endpoint devices and network assets when a more data-driven approach would save them both time and money, he said.
"It has to be about the data. Data is very much the currency that people are transacting with, and employees need to be able to get their jobs done, even if that means taking information outside the network," said Dunkelberger.
"As complexity grows, things happen -- executives buy iPhones that are essentially 60GB storage devices that run on Open BSD and allow third-party applications," he said. "Defending the device is going to be a losing war, and even if you try to do that, people will inevitably add to the device or change its configuration."
While it unsurprising that Dunkelberger advocates the use of encryption as an intelligent way to overcome the complexity of changing IT infrastructure and business demands of defending data, he said that problems are most often related to faulty policies, not the types of technologies used for information protection.
The heightened information security atmosphere of today isn't as much a result of the rapid growth of mobile computing or shared infrastructure between companies, but rather an issue of poor data architecture from the top down, he said.
"Unless we start having a comprehensive discussion about the defense of data, the problem will only continue to persist, and not just in relation to hackers or compliance," Dunkelberger said.
"Everyone has policies, but it is interesting how much intellectual property is being targeted and stolen despite that; more of these attacks are coming, and that will only increase costs and complexity if handled improperly because these are the crown jewels of the organizations that are being targeted," he said.