Data Security

Do data breaches cause lasting reputational damage for organizations? We all know breach response is expensive –  just ask Target, which posted data breach-related costs of $162 million through fiscal year 2014, plus another $129 million for the first half of FY2015, all net of $90 million in cyber insurance. That’s a lot of zeros, and it’s not over yet. According to Ponemon’s 2015 Cost of Data Breach study, the average U.S. cost of a “malicious or criminal breach” is $230 per compromised record, $210 per record for a “system glitch” breach, and $198 per record for “human error” breaches. The U.S. breaches in the study averaged more than 28,000 compromised records and an average total cost of over $6.5 million.

But beyond response hard costs, the X factor for many companies is a fear of crippling reputational damage in the wake of a large-scale data breach. As it turns out, such fears may be unfounded, and may also be unhelpful.

At DEF CON you’ll often hear that “every company is receiving penetration testing, but some companies pay for the pleasure.” My take is that every company pays for penetration testing – some companies pay in planned expenditures, but others pay in response costs, reputation loss, business interruption, legal liability, and increased insurance premiums. Or as Claus Moser observed, “Education costs money, but then so does ignorance.”

Last week’s DEF CON post shared insights from DEF CON 23 presenters on the fast-moving threat environment. Below are post-DEF CON observations on strengthening an organization’s cyber risk management strategy.

Cancer Care Group, P.C. settled alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules on September 2 with the U.S. Department of Health & Human Services Office for Civil Rights (OCR) for $750,000. Cancer Care, a radiation oncology private physician practice located in Indiana, also agreed to adopt a corrective action plan to remedy defects in its HIPAA compliance program.

Faces lit by computers, the hackers’ objectives were clear — attack and defend. At this year’s DEF CON, the largest hacker convention in the United States, pre-qualified teams of hackers from around the globe faced-off in a network-security simulation that combined network sniffing, cryptanalysis, programming, reverse-engineering, and other tactics that would make Lisbeth Salander blush. Back in 1993, the first DEF CON had roughly 100 participants. This year, badges dangled from the necks of nearly 20,000 attendees, including hackers, lawyers, academics, journalists, and government officials.

DEF CON has an edgy narrative — it’s notorious for criminal exploits, wild parties, and Mohawk-fitted outcasts. But that story line is much too simple. And “too simple” is what security researchers—or hackers, depending on your sensibilities—proclaim after they expose the vulnerabilities in products and infrastructure we rely on daily.

Below are highlights and insights from presentations at DEF CON 23 that illustrate the evolving cyber risks and policy dilemmas facing governments, individuals, and the private sector.

Folks of a certain age, and fans of “Guardians of the Galaxy’s” Awesome Mix vol. 1, have a hard time forgetting that late ‘70s song by Rupert Holmes, “Escape” (“If you like piña coladas, getting caught in the rain….”). But for millions of subscribers to infidelity website AshleyMadison, there’s no easy escape from hackers’ public disclosure of subscribers’ personal information. In the ensuing schadenfreude-field-day, and amidst early reports of extortion attempts and even suicides, there’s an important lesson to remember. Whether or not a company’s business model is broken vows, broken promises in a privacy policy can have severe repercussions.

Months. Actually, years. That’s how long the notion has been brewing that the Federal Trade Commission has no authority to enforce reasonable data security under the unfairness prong of FTC Act Section 5. The stakes are high – the FTC can pursue essentially any commercial company under the FTC Act for unfair or deceptive trade practices in interstate commerce. And if the FTC indeed has the authority to take any such company to court for “unfair” data security practices under Section 5, without any FTC regulations under Section 5 setting standards for exactly what constitutes adequate data security… well, one can appreciate why many in the general business community are uneasy.

When the FTC sued Wyndham in federal court for inadequate data security, Wyndham raised every argument its lawyers could think of to dismiss the FTC’s unfairness claims.  After failing to convince the trial court, Wyndham next took an interlocutory appeal to the Third Circuit Court of Appeals, the first appellate court to ever consider this issue, and asked that the FTC be stopped. But instead of a red light (a ruling of no FTC authority) or a yellow light (a ruling on other grounds), the Third Circuit Court of Appeal’s decision, handed down this week, gives the FTC a clear green light to pursue its claims against Wyndham for alleged unreasonable data security as an unfair business practice.

Costs continue to mount for Target as the company works to put its massive 2013 data breach behind it. Target and Visa recently announced an agreement for Target to reimburse Visa card issuers as much as $67 million for costs associated with the historic breach. The settlement is considerably larger, and more likely to succeed, than the proposed $19 million deal between Target and MasterCard that issuers previously rejected as too low.

Do you often feel that despite best efforts to circle the wagons your information security team is fighting a losing battle with broken down tools? Even though information security budgets have increased in the last couple of years—likely in response to the very visible increase in high-profile data breaches—discretionary budget dollars are scarce. I recently heard the poker term “dead money”  used to describe that large portion of every IT budget that has been committed long before it is received, much like the money we all must dedicate to mortgages, utilities, food, and transportation. Thus, for every $100 of total IT spend, we may be left with just $0.60 for new baubles and geegaws, as my grandmother used to say.

It’s tempting to “gild the lily” when applying for cyber insurance. Insurers are still getting their arms around how to underwrite cyber risks, and so applications commonly feature a lengthy questionnaire about security controls and safeguards. Often folks in the insured’s Finance or Risk departments handle the application process, with minimal involvement by IT Security and Legal. The result can be questionnaire responses that are, well, “aspirational.”

The problem is that the insured’s representations in the application usually become part of the policy, with coverage conditioned on the representations being accurate when made, and also on an ongoing basis. If the questionnaire responses are later deemed to be material misrepresentations, or if what was represented changes materially, then coverage may be lost. With cyber insurance applications, gilding the lily can result in gelding of coverage.

For years, federal district courts have reliably dismissed data breach consumer class actions at the outset, citing the U.S. Supreme Court’s 2013 decision in Clapper v. Amnesty International. Defendants’ tried-and-true argument goes like this:  (1) under Clapper, plaintiffs must allege at least an imminent risk of a concrete injury to have standing under Article III of the U.S. Constitution; (2) the data breach plaintiffs haven’t alleged such an injury, and any future alleged injuries are too speculative; (3) so no standing, and no case.  But last week, in Remijas v. Neiman Marcus Group, the Seventh Circuit disagreed. The Neiman Marcus decision pumps new life into consumer data breach claims, and plaintiffs will undoubtedly argue that it sounds a death knell for Clapper in data breach litigation.