While advising the board of directors of a company to pay close attention to data security issues is akin to your dentist telling you to floss, the stakes are too high for a board to ignore. The board of any company must constantly monitor and assess its company’s data security procedures and potential risks. Although there is no strategy to prevent a security breach, each member of a board must exercise its fiduciary duty to consider the risks to a company. To the credit of many companies in the last several years, the assessment of data security risks has achieved a more pronounced position.
Continue Reading Board to Tears: Director oversight of data security issues

Do data breaches cause lasting reputational damage for organizations? We all know breach response is expensive –  just ask Target, which posted data breach-related costs of $162 million through fiscal year 2014, plus another $129 million for the first half of FY2015, all net of $90 million in cyber insurance. That’s a lot of zeros, and it’s not over yet. According to Ponemon’s 2015 Cost of Data Breach study, the average U.S. cost of a “malicious or criminal breach” is $230 per compromised record, $210 per record for a “system glitch” breach, and $198 per record for “human error” breaches. The U.S. breaches in the study averaged more than 28,000 compromised records and an average total cost of over $6.5 million.

But beyond response hard costs, the X factor for many companies is a fear of crippling reputational damage in the wake of a large-scale data breach. As it turns out, such fears may be unfounded, and may also be unhelpful.
Continue Reading Will you still love me tomorrow, post-breach?

At DEF CON you’ll often hear that “every company is receiving penetration testing, but some companies pay for the pleasure.” My take is that every company pays for penetration testing – some companies pay in planned expenditures, but others pay in response costs, reputation loss, business interruption, legal liability, and increased insurance premiums. Or as Claus Moser observed, “Education costs money, but then so does ignorance.”

Last week’s DEF CON post shared insights from DEF CON 23 presenters on the fast-moving threat environment. Below are post-DEF CON observations on strengthening an organization’s cyber risk management strategy.
Continue Reading DEF CON 23—Part II: cyber risk management strategy

Faces lit by computers, the hackers’ objectives were clear — attack and defend. At this year’s DEF CON, the largest hacker convention in the United States, pre-qualified teams of hackers from around the globe faced-off in a network-security simulation that combined network sniffing, cryptanalysis, programming, reverse-engineering, and other tactics that would make Lisbeth Salander blush. Back in 1993, the first DEF CON had roughly 100 participants. This year, badges dangled from the necks of nearly 20,000 attendees, including hackers, lawyers, academics, journalists, and government officials.

DEF CON has an edgy narrative — it’s notorious for criminal exploits, wild parties, and Mohawk-fitted outcasts. But that story line is much too simple. And “too simple” is what security researchers—or hackers, depending on your sensibilities—proclaim after they expose the vulnerabilities in products and infrastructure we rely on daily.

Below are highlights and insights from presentations at DEF CON 23 that illustrate the evolving cyber risks and policy dilemmas facing governments, individuals, and the private sector.
Continue Reading DEF CON 23—Part I: Hackers highlight evolving cyber threats

Costs continue to mount for Target as the company works to put its massive 2013 data breach behind it. Target and Visa recently announced an agreement for Target to reimburse Visa card issuers as much as $67 million for costs associated with the historic breach. The settlement is considerably larger, and more likely to succeed, than the proposed $19 million deal between Target and MasterCard that issuers previously rejected as too low.
Continue Reading Target update: still shopping, but no end in sight

It’s tempting to “gild the lily” when applying for cyber insurance. Insurers are still getting their arms around how to underwrite cyber risks, and so applications commonly feature a lengthy questionnaire about security controls and safeguards. Often folks in the insured’s Finance or Risk departments handle the application process, with minimal involvement by IT Security and Legal. The result can be questionnaire responses that are, well, “aspirational.”

The problem is that the insured’s representations in the application usually become part of the policy, with coverage conditioned on the representations being accurate when made, and also on an ongoing basis. If the questionnaire responses are later deemed to be material misrepresentations, or if what was represented changes materially, then coverage may be lost. With cyber insurance applications, gilding the lily can result in gelding of coverage.
Continue Reading Gilding, gelding, & cyber insurance applications

For years, federal district courts have reliably dismissed data breach consumer class actions at the outset, citing the U.S. Supreme Court’s 2013 decision in Clapper v. Amnesty International. Defendants’ tried-and-true argument goes like this:  (1) under Clapper, plaintiffs must allege at least an imminent risk of a concrete injury to have standing under Article III of the U.S. Constitution; (2) the data breach plaintiffs haven’t alleged such an injury, and any future alleged injuries are too speculative; (3) so no standing, and no case.  But last week, in Remijas v. Neiman Marcus Group, the Seventh Circuit disagreed. The Neiman Marcus decision pumps new life into consumer data breach claims, and plaintiffs will undoubtedly argue that it sounds a death knell for Clapper in data breach litigation.
Continue Reading Breach litigation standing — the bell tolls for Clapper

Old-school company intranets are like soooo boring. Why not juice things up? Sure, we’ll keep the one-directional content (employee policies, company announcements, etc.), but let’s add a dynamic platform for employee interactive training modules, capturing employee responses and quiz results. Why stop there – how about a message board for employees, to turn dull company communications into an energized conversation? And in today’s mobile world, shouldn’t we enable remote access from anywhere our employees happen to be, 24/7? What could possibly go wrong?

Well … a whole lot will go wrong, unless the company first applies an information governance perspective. So let’s ask a few questions to explore what information risks and compliance issues are at play.
Continue Reading IG perspective: adding social media to workplace websites

Ah, Federalism. In countless ways we benefit from a system in which individual states can express their respective policy interests in differing state laws, with the resulting quilt bound together by the Constitution, federal law, and judicial interpretation. But on some topics we end up with a “crazy quilt” … and PII breach notification is trending crazy.

Since 2002, when California enacted the seminal state law mandating notification of individuals whose personally identifiable information (PII) is breached, virtually every state has followed suit. Forty-seven states, the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands now have such statutes.  Only Alabama, New Mexico, and South Dakota are without one, and under Texas’ statute, companies doing business in Texas that have a PII breach must follow the Texas notification requirements for affected residents of these three states.

These laws are triggered by the affected individual’s residency, not where the breach occurred. So, when an organization with employees or customers in many states suffers a data breach, it must comply with a wide variety of differing and potentially conflicting state breach notification laws. And differ and conflict they do, as the following three examples illustrate.
Continue Reading State breach notification laws: the quilt is getting crazier

Companies suffering a data breach have a lot to worry about. High on that list is Norman Siegel, a founding member of Stueve Siegel Hanson LLP. Siegel is a prominent data breach plaintiffs’ lawyer – he helped lead the team representing consumers in the consolidated Target data breach lawsuits, and currently serves as lead counsel representing consumers in the pending Home Depot data breach litigation. He also is co-chair of the Privacy and Data Breach Litigation Group of the American Association for Justice.

I recently asked Siegel for his thoughts on the current landscape of data breach consumer litigation. Here is what he shared.
Continue Reading Words from the wolf at the door