Is Your Customer’s Virtual File Room Door Ajar?

Despite ongoing effort, 83% of companies acknowledge experiencing more than one data breach or security attack, according to IBM and Ponemon’s 2023 “Cost of a Data Breach” report. Is it any wonder that governments around the world are considering and enacting ongoing regulations to require certain protections and mandate reporting windows and behaviors?

Data security rules are getting tougher, and both public sentiment and government regulations discourage company privacy when it comes to reporting. Despite business concerns, public disclosure is required, and pending regulations go beyond requiring just data breach reporting to also mandate reporting all incidents that interrupt service.

As an information management provider, you’re in a unique position to advise customers about security policies and practices. In addition, you offer technologies that can play a significant role in shutting down access to private information and systems for your customers while simultaneously easing collaboration and secure sharing for employees. Are you prepared to talk about the current security landscape? Reporting laws continue to change, yet disclosure remains tricky for companies. Keep reading to learn more about how you can help your customers adapt and thrive.

Reporting laws are evolving

On March 27, 2024, the US Cybersecurity and Infrastructure Security Agency (CISA) issued draft rules for how companies report cyberattacks to the government. Though not yet binding for all companies, the rules signal an important tightening in the reporting climate in which companies will no longer be allowed to keep data breaches private between themselves and those affected. The WSJ reported that “Under the rules, companies that own and operate critical infrastructure would need to report significant cyberattacks within 72 hours and report ransom payments within 24 hours.” These draft rules remained open for public comment for 60 days. Critical infrastructure typically includes healthcare, energy, manufacturing, certain technology businesses, law enforcement, government offices, and financial services. Any attack resulting in downtime or impairment to services must be reported, but CISA openly encourages that all attacks be disclosed. Companies that fail to comply would be reported to the office of the Attorney General for civil proceedings, and false reporting would incur fines and imprisonment.

It’s not the first such regulation. Signed into law on March 15, 2022, the Cyber Incident Reporting for Critical Infrastructure Act designated CISA to develop and implement regulations requiring companies to report cyber incidents and ransomware payments. Prior to this Act, incident reporting varied by industry and was largely voluntary. Though ostensibly designed to enable CISA to improve US response to cyber threats through better data collection, these Acts also indicate that public tolerance for data breaches has waned, and customer privacy is taking center stage.

Disclosure can be hard for companies

Many companies have been open about preventative measures but still desire privacy when handling attacks and their outcomes. They are concerned about cybersecurity, but many also have complex reasons for not reporting incidents. Here are the most common.

For years, companies have resisted such government efforts saying attacks are often difficult to identify. This position is supported by the annual Ponemon security report that indicates it takes companies an average of 204 days to even realize they have a problem and an additional 73 days to resolve problems once they are discovered.

Public reporting often damages company performance as individuals may discontinue doing business with companies that appear to be taking security lightly. The Ponemon report shows lost business costs the average company millions of dollars following a breach or attack.

Some companies worry that detailed reporting may encourage attackers to adapt and attack again.

Businesses are often subject to dozens of reporting requirements across federal, state, and industry regulations and laws — including both disclosure of attacks and data breach notifications. In this cluttered landscape, many companies are confused about what needs to be reported, to whom, and within what timeframes.

How you can help

Your customers will turn to you for help understanding evolving regulations and laws while you provide information management technologies that help lock sensitive data away from prying eyes. Here are three specific business strategies you may want among your top security focuses this year.

1. Build cybersecurity directly into document management systems and processes

Virtually all information management technologies now include provisions for security, so there is no excuse for you to continue to offer anything that doesn’t meet minimum standards. If you’re not sure what you have, get on the phone with each provider in your product lineup and make sure your sales staff understand each product’s security capabilities and can adequately explain them to customers. If you’re cobbling products together, scanners with software or cloud services for example, be sure you understand how to set up security in both products to create a seamless fence against bad actors for your customers.

2. Encourage smart security practices

Your security consulting can, and likely should, go beyond setting up the technologies you sell to also offer advice regarding processes and procedures that interact with those products. Don’t be shy about recommending process changes, access restrictions, and automated reporting where it makes sense for each individual customer. You’re also likely familiar with complementary technologies that can help, even if they’re not part of your product lineup. I recommend you familiarize yourself with common regulations and laws like the March 2024 CISA rules, so you can help your customers understand what they need to do in response.

3. Monitor and report on evolving rules for your clients

The truth is, the security landscape is constantly evolving, so businesses must monitor changes and adapt or they put themselves at risk. You could choose to offer guidance to your customers as rules evolve. This doesn’t have to be complicated and can deepen your relationship with your customers as you add more value to their business. Send newsletters, issue special reports, or write blogs to keep your customer base up to date while always encouraging them to seek legal advice to apply the information to their specific situation. It adds value to their relationship with you, making them more likely to turn to you for ongoing services and support.


Security bad actors cost the world $9.5 trillion every year, and it’s time to toughen both regulations and company protections. In your position as a trusted technology advisor, you can make a difference for your customers in their battles to protect sensitive information and lock down business systems from cyber criminals.  

Christina Robbins is Vice President of Communication Strategy and Marketing at Digitech Systems LLC, one of the most trusted choices for intelligent information management and business process automation worldwide. Celebrated by industry analysts and insiders as the best enterprise content management and workflow solutions on the market, Digitech Systems has an unsurpassed legacy of accelerating business performance by streamlining digital processes for organizations of any size. For more information visit