Why Do We Still Have Cyber Breaches?

Evan Schuman wrote an opinion piece in Computerworld yesterday that I found very interesting.

Neimans suffered a credit card breach in 2013 that would be considered small by today’s standards.  Initially they reported that a million cards were compromised;  later that number was reduced to about 375,000.  About 9,000 of those cards were used for fraud.

The company settled a class action lawsuit against them for the breach for about one and a half million dollars.  That translates to about $4.20 per customer.  After 4 years.  After taking out the lawyer’s fees, it leaves about $1.00 per consumer affected.

If not enough people apply for a piece of the pie, Neimans gets to keep whatever is leftover.

In the settlement, Neimans talked about all the changes that they made since the breach –

  • They hired a CISO.  Apparently, until the breach, Neimans, a $5 billion retailer, did not have an executive in charge of cyber risk.
  • They hired some additional cyber security people.  It doesn’t say how many or what they are doing.
  • They are reporting about cyber risk to the C-Suite and the Board now.  More frequently.
  • Neimans installed chip credit card terminals in their stores now.

So, if you think about it, after 4 years Neimans’ insurance carrier paid out a million+ dollars, they hired a few more people and they are talking some at the C-Suite level.

There were, of course, other costs.  Neimans had to hire lawyers to defend them.  They likely had to pay fines to their banks.  They may have lost some business, but in general, the costs are likely pretty modest – especially considering that they are a $5 billion concern.

I am glad that they hired a CISO and a security team.  That is likely a good thing, but should not have required a breach to make it happen.

Now, of course, before executives get too excited about this, compare this to Home Depot, who recently announced that they had spent $300 million – so far – recovering from their breach.

So it appears to be a mixed bag and getting breached certainly is a distraction for businesses, for years afterward.  Depending on the business, more or fewer customers will leave after a breach (depending on how painful it is for the customer to move, in part).

So at least right now, there is no strong incentive for businesses to be very proactive and that is pretty much what we are seeing.

If consumers want this to change, they will have to vote with their wallets and pocketbooks.  If businesses saw a consistent 25% or 33% drop in revenue after a breach and that revenue didn’t come back in a couple of months, that might change the equation, but until that happens with some consistency….

I did see a statistic recently that said that 20% of businesses hit by ransomware go out of business.  Now that is a compelling number.  Apparently, getting your data encrypted is a bigger risk that losing your customers credit cards.  The stores and banks understand this equation.  While it is expensive to credit people for fraudulent transactions and issue new cards, it is less expensive than losing business.  In this case, the banks and the businesses both lose out, but it stops the consumers from getting out their pitch folks and torches and doing some serious damage.

Imagine what would happen if consumers had to pay if their accounts were breached?  For one thing, it would likely mean that people would use their credit cards a lot less.  Since that means a whole lot less spur of the moment purchases, the stores really don’t like that option.

It is an interesting situation.  For the most part, everyone has settled in and hunkered down for the duration.  No one likes the status quo, but they like the alternatives even less.  That goes for both customers and businesses.

One thing to consider, however, before I put this to bed

The cost to businesses of the theft of intellectual property on an annual basis dwarfs the entire credit card fraud bill.  And, for the most part, insurance only pays a tiny part of that cost. Most of the cost is unknown (often the theft is not even discovered for years), uninsurable and in some cases, unrecoverable from.  Consider that for a moment.  For businesses, this is a much bigger incentive for not getting breached.

Pretty interesting.

Information for this post came from Computerworld.


The General Counsel’s Job Just Got Harder

After Yahoo announced it’s mega breaches and it’s General Counsel was fired, this article is not much of a surprise.

John Reed Stark, head of his own consulting firm but formerly of the Chief of the SEC’s Office of Internet Enforcement and former Law professor at Georgetown Law and David Fontaine, CEO of the billion dollar risk mitigation firm Kroll, Yale Law graduate and partner at the law firm of Miller, Cassidy, Larroca  and Lewin wrote a great piece recently.

The basic premise is that the General Counsel is going to be the fall guy when there is a breach, so he or she might want to get ahead of that freight train and plan for dealing with it, like any other risk such as financial reporting, sexual harassment and insider trading.

I highly recommend that CEOs, CFOs and Board Members read the entire article because a summation is not going to do it justice, but they bring up three key points. First a little background.

If, after reading the article, you are more confused than when you started, please contact me.

From the Yahoo Board after action report:

Based on its investigation, the Independent Committee concluded that the Company’s information security team had contemporaneous knowledge of the 2014 compromise of user accounts, as well as incidents by the same attacker involving cookie forging in 2015 and 2016. In late 2014, senior executives and relevant legal staff were aware that a state-sponsored actor had accessed certain user accounts by exploiting the Company’s account management tool. The Company took certain remedial actions, notifying 26 specifically targeted users and consulting with law enforcement. While significant additional security measures were implemented in response to those incidents, it appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company’s information security team. …

Nonetheless, the Committee found that the relevant legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it. As a result, the 2014 Security Incident was not properly investigated and analyzed at the time, and the Company was not adequately advised with respect to the legal and business risks associated with the 2014 Security Incident.

Here are the three recommendations:

#1 – The GC has emerged as the most logical and effective quarterback of data breach response.

We agree with this completely with a few caveats.  Most GCs are not cyber security gurus.  The GC needs to work in both internal and external cyber security experts in order to make the right decisions about the risk.  While Fortune 500 firms have access to great cyber security teams, sometimes it is hard to be a prophet in your own land and outside expertise may be helpful.

In addition, based on precedent, to get the maximum benefit of attorney client privilege, engaging outside counsel may be mandatory.

#2 – Yahoo’s actions not only signal the evolution of a new standard of care for GCs when it comes to cybersecurity but also signal a vast expansion of GC oversight.

The article goes into great detail of what the GC should ensure is being done proactively.

Our takeaway is this.  It is only a matter of time before the lawsuits are successful and the cost to companies of inaction becomes dramatically more than the cost of action.  One strategy is to hide behind a boulder and hope the avalanche misses you, but based on experience here in Colorado, the avalanche usually wins.

Be prepared or be buried by the breach avalanche.

#3 – Cybersecurity presents every bit, if not more risk than financial reporting failure, and should receive the same level of oversight and audit.

I could not say this better myself and in fact, have been saying just this for years.

Cyber, for most companies, whether private or public, is a much more likely risk than financial reporting failure and one that the public understands much better.  If Target made errors in it’s financial reporting, most consumers would just shrug and move on.  Compromise 50 million consumer credit cards and it takes years for Target to recover its reputation.

Information for this post came from LinkedIn.