Will a data breach send you broke?
If you listen to the spin doctors who head up IT Vendors marketing and PR departments you’d be certain that a data breach would destroy your business.
Bad news sells newspapers. Awful news sells more newspapers.
The same principle applies to data and privacy breach’s.
Oh – the end is nigh! The sky is failing in. There’s trouble at mill.
The assertion is not supported by the evidence. Like the millennium Y2K bug the hype is totally out of proportion to the business risk. The real damage of the Y2K hyperbole was the massive hit to the credibility of IT pundits and professionals.
Those same managers with lingering memories are still sceptical about claims made by the IT and Security departments.
Enough ancient history. Back to the premise.
I am not advocating that data and privacy breaches will not damage your business. They will and independently researched data bears out this claim. But look for hard evidence about those organisations going broke – it’s not there. Proof to support this assertion is impossible to locate. The same can’t be said for the numerous listings about the nature of data breaches and quantity of records compromised.
As this inaccurate claim continues to be prosecuted the real damage to the IT Security industry will be in irrecoverable credibility.
Just like Y2K, it will be déjà vous, all over again!
So what information is available to quantify data breaches?
The most authoritative document I could locate was published by the Ponemon Institute under the sponsorship of PGP (an AISA sponsor). This comprehensive April 2010 report covers Australian data breach and the cost to business during 2009. The findings were based on data loss or theft researched from 16 organisations and ranging between 3,300 and 65,000 records. It provides considered insights as to what a data breach costs an organisation directly and through collateral damage. A similar report is prepared for other global theatres including the USA, UK and France so benchmarks and comparisons can be made.
Here are some examples of some of the survey findings.
The average cost of data breach to organisations was A$1.97M with individual breached records averaging $123.00. The cost varied by industry with Finance averaging $197 and Government coming in at the lowest cost per breached record.
Kudos to our dedicated and diligent public service!
The most expensive breach – from the sample companies surveyed during 2009 was $4M. The two most significant components of this cost were loss in business and the detection and escalation of incidents. As a direct consequence of these data breaches loss of client trust and resultant customers churn rates represented the main cost of the compromise. The primary source of these breaches was as a direct result of malicious criminal attack and botnets. These types of attacks were significantly more costly than human error, oversight or omission.
An important finding was that seventy five percent of breaches were first time events for organisations. The report makes the assertion that organisations having experienced a breach are better able to manage the costs of ensuing breaches. It’s more likely that prevention is better than cure. With experience comes wisdom and data compromise is a very salient learning experience. Armed with a credible business case backed with actuarial tables, the CFO and CEO will be more disposed to allocating additional budget. Without this approach a breach could result in panic remediation with budgets spent ineffectively. With a breach, the money has to come from somewhere. Other important projects could be delayed, scaled back in scope or at worst cancelled.
Or am I being too cynical? For IT Vendors let’s hope their customers don’t think so.
OK – the last two points in the Ponemon report summary.
For those considering or employing cloud computing or outsourcing, the outlook is grim. Just on a third of breaches resulted from third-party mistakes. There is a pot of gold at the end of the rainbow – with 44% of organisations contracting remediation work out to specialist IT Security Practices.
OK– what’s my point?
My assertion is that the premise – Data breaches will send you broke is hyperbole.
Actually, completely over the top hype.
In previous lives in the IT Industry I have witnessed Vendors make the most outlandish claims. Expectations were set and never met. This pervaded the industry and is still perpetuated today, although it’s not commonplace. Industry novices visit clients, deliver their presentation failing to notice seasoned IT professionals look at their watches and roll their eyes.
So back to my initial premise – data breaches will not send your business broke.
Occasionally data breaches make the mainstream press. The example I quoted in my article in the Aisa newsletter was about an online florist who had a significant credit card breach. I went to their website and they appear to be flourishing. Positively blossoming in fact. Nothing says I love you like flowers.
I kept looking for this anecdotal evidence to support the argument. USA based examples provided some of the answers.
Heartland Payment Systems data breach of 130 Million credit and debit cards disclosed in January 2009 have so far cost it $100M with another $42M allocated for future contingency payments. Estimates are that it could eventually reach the $250 million costs TJX has estimated it will eventually pay for its 2006 breach of 94 million credit cards. In spite of this massive hit to the bottom line both businesses are trading and investor confidence hasn’t waned.
Changes are afoot and here’s what the future holds.
This is an excerpt reported in IT news on March 26 , 2010
According to Australian Privacy Commissioner Karen Curtis, the Government has “agreed in principle” with Australian Law Reform Commission (ALRC) recommendations that organisations be penalised for serious privacy breaches.
The Australian Law Reform Commission recommended that the Privacy Commissioner be given the power to seek a civil penalty in a Court for a serious or repeated breach of privacy, and that reporting of serious data breaches become mandatory.
I’ll ask the question?
What’s a serious data breach?
What constitutes a serious privacy breach?
“The Government, in its first stage response to the ALRC report, has already agreed in principle to the application of civil penalties for serious privacy breaches where other compliance orientated enforcement methods are not sufficient,” Curtis told iTnews.
“The Government is still considering the issue of data breach notification.”
To close – my presentation
Hype had damaged the credibility of the Information technology industry. The claim that data breaches will send your business broke are not supported by any evidence. One certain change that must occur is compulsory reporting of data breaches. When that occurs, my view will change. My argument is based on reported breaches.
In the future, regulators must be armed with a regulatory stick a very, very big stick.
Mike Ryan – AISA member 1357
Thanks to Telstra for sponsoring the venue and RSA Security for sponsoring the event!