Download - Deconstructing Data Breach Cost
Deconstructing the Cost of a Data Breach
Page 2
Agenda
• Introductions
• Deconstructing the cost of a data breach:• Data breaches can involve many types of data.• Data breaches can involve many types of costs.• The costs of a data breach can range from zero to more
than $170 million.
• Q&A
Page 3
Introductions: Today’s Speakers
• Ted Julian, Chief Marketing Officer, Co3 Systems• Security / compliance entrepreneur• Security industry analyst
• Patrick Florer, Co-Founder & CTO, Risk Centric Security• Fellow of and Chief Research Analyst at the Ponemon Institute.• 32 years of IT experience, including roles in IT operations,
development, and systems analysis• 17 years in parallel working in medical outcomes research,
analysis, and the creation of evidence-based guidelines for medical treatment
Page 4
Co3 Automates Breach Management
PREPARE
Improve Organizational Readiness• Assign response team• Describe environment• Simulate events and incidents• Focus on organizational gaps
REPORT
Document Results and Track Performance• Document incident results• Track historical performance• Demonstrate organizational
preparedness• Generate audit/compliance reports
ASSESS
Quantify Potential Impact, Support Privacy Impact Assessments• Track events• Scope regulatory requirements• See $ exposure• Send notice to team• Generate Impact Assessments
MANAGE
Easily Generate Detailed Incident Response Plans• Escalate to complete IR plan• Oversee the complete plan• Assign tasks: who/what/when• Notify regulators and clients• Monitor progress to completion
Page 5
About Risk Centric Security
• Risk Centric Security offers state of the art SaaS tools and training that empower Information Security Professionals to perform credible, defensible, and reproducible risk and decision analyses, and to articulate the results and relevance of these analyses in language that business counterparts will understand.
• Risk Centric Security was founded by two Information Technology and Information Security veterans who have more than forty years of combined experience providing solutions to complex problems for smaller companies as well as for companies in the Fortune 1000.
Risk Centric Security, Inc. www.riskcentricsecurity.com
Authorized reseller of ModelRisk from Vose Software
Page 6
What is a data breach?
Data Breach:
• A data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property.
• The law is evolving – basically a breach is an unauthorized use of a computer system.
• Many prosecutions take place under provisions of the Computer Fraud and Abuse Act (CFAA).
• Data breaches can also happen by accident or error.
Page 7
What is a data breach?
Data Breach:
• Is the concept of a breach too narrow to describe many types of events?
• Do we need different words and concepts?
-A single event at a single point in time? -What about an attack that exfiltrates data over a long
period of time?
Page 8
What kinds of data might be exposed?
• Operational Data• Intellectual Property• Financial Information• Personally Identifiable Information (PII)• Protected Health Information (PHI)
Page 9
What kinds of data might be exposed?
Personally Identifiable Information (PII):
• The U.S. government used the term "personally identifiable" in 2007 in a memorandum from the Executive Office of the President, Office of Management and Budget (OMB, and that usage now appears in US standards such as the NIST Guide to Protecting the Confidentiality of Personally Identifiable Information (SP 800-122). The OMB memorandum defines PII as follows:
• Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.
Page 10
What data aren’t PII?
• Data that identify a person that are not considered protected:
• Name• Address• Phone number• Email address – things are changing with regard to e-mail
addresses• Facebook name• Twitter handle
Page 11
Is it PII or not?
Personally Identifiable Information (PII):
• According to the OMB, it is not always the case that PII is "sensitive", and context may be taken into account in deciding whether certain PII is or is not sensitive.
• Geo-location data?
• Was the Epsilon breach a “breach”?
• Have there been other “non-breach” breaches?
• Given the powerful correlations that can be made, are these definitions too narrow?
Page 12
What kinds of data might be exposed?
Protected Health Information (PHI):
Protected health information (PHI), under the US Health Insurance Portability and Accountability Act (HIPAA), is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. This is interpreted rather broadly and includes any part of a patient’s medical record or payment history.
POLL
What type of data does your company mainly collect/store?
Page 14
What costs are we going to discuss?
• Direct and Indirect Costs?
• Primary and Secondary Costs?
• Costs that we should be able to discover and/or estimate.
• Costs that might be difficult to discover and/or estimate.
Page 15
What costs are we going to discuss?
Costs that we should be able to discover and/or estimate:
• Lost productivity• Incident response and forensics costs• Costs of replacing lost or damaged hardware, software, or information• Public relations costs• Legal costs• Costs of sending letters to notify customers and business partners• Costs of providing credit monitoring• Fines from governmental action (HIPAA/HITECH, FTC, State
Attorneys General, etc.)
Page 16
What costs are we going to discuss?
Costs that we should be able to discover and/or estimate:
• Fines and indemnifications imposed by contracts with business partners
• Contractual fines and penalties resulting from PCI DSS related incidents - either data loss or compliance failure
• Judgments and legal settlements - customers, business partners, shareholders
• Additional compliance and audit costs related to legal settlements (20 years of additional reporting, for example)
Page 17
What costs are we going to discuss?
Costs that might be difficult to discover and/or estimate:
• Loss of competitive advantage• Loss of shareholder value• Reputation loss• Opportunity and Sales losses from customers and
business partners who went elsewhere• Value of intellectual property
Page 18
Whose costs are we going to discuss?
• Breached entity?• Shareholders?• Citizens / the public at large?• Card brands?• Issuing banks?• Customers?• Business partners?• Consumers?• Taxpayers (law enforcement costs)?
Page 19
How do we measure and estimate costs?
• Fixed / Overall Costs
Per record costs
• Direct/Primary
• Indirect/Secondary
• Variable costs that scale with magnitude of breach
Page 20
Sources of Data
How do we know about data breaches?• Victim notifications• News media• Securities and Exchange Commission (SEC) filings• Department of Justice (DOJ) indictments• HIPAA/HITECH Office of Civil Rights (OCR) actions• FTC actions• Press releases
Disclosure laws• HIPAA/HITECH• State breach laws• New SEC Guidance re “material” impact
Page 21
Sources of Data
Research projects:• Datalossdb.org (www.datalossdb.org) • Identity Theft Resource Center (www.idtheftcenter.org) • Office of Inadequate Security (www.databreaches.net)
Published reports:• Cisco• Mandiant• Ponemon Institute• Sophos• Symantec• Verizon Business DBIR• X-Force (IBM)
Page 22
Sources of Data
Non-public sources:
• Forensics Investigators• Card Brands• Payment Processors• Subscription services• Data sharing consortia – Information Sharing and Analysis
Centers (ISAC’s)• Government Intelligence agencies• Word of mouth and anecdotal evidence
Page 23
Some Estimates of Cost
Ponemon Institute 2011 Cost of Data Breach Study: United States
• 49 Companies surveyed – multiple people per company.• Breach sizes ranged from 5K – 100K exposed records.• Participants estimated the minimum and maximum
amounts for a number of costs, from which the mid-point value was selected.
• According to some legal experts, Ponemon Institute numbers are the “gold” standard in the Federal Courts.
• The raw data are published in the report appendix.
POLL
What do you think the average data breach cost per record is?
Page 25
Some Estimates of Cost: Ponemon Institute
In the 2011 report:
• Overall weighted average per record = $194 (down from $214 in 2010)
• Overall average total = $5.5 M (down from $7.2M in 2011)
Page 26
Some Estimates of Cost: Ponemon Institute
Page 27
Some Estimates of Cost: Ponemon Institute
Page 28
Some Estimates of Cost: Larger Breaches
DSW Shoes (2005):
• 1.4 million records / $6.5M – $9.5M (press releases)
• Cost per record = $4.64 – $6.79
Page 29
Some Estimates of Cost: Larger Breaches
TJX (Dec, 2007):
• 90 million records / $171M – $191M (SEC filings)
• Accelerated CapEx = $250M (rumored)
• Cost per record = $1.90 – $2.12
Page 30
Some Estimates of Cost: Larger Breaches
Heartland Payment Systems (Dec, 2009):
• 130 million records / $114 -$117M, after $31.2M recovery from insurance (SEC filings)
• Cost per record = ~$0.90
Page 31
Some Estimates of Cost: Larger Breaches
Sony (Mar, 2011):
• 100 million records / $171M (Sony press release)
• Cost per record = $1.71
Page 32
Some Estimates of Cost: Larger Breaches
Global Payments (June, 2011):
• 1.5 - 7 million records / $84.4M in 2012, $55 - $65M in 2013 (SEC filings)
• Up to $30M recovered through insurance (SEC filings)
• Total cost estimated to be $110M - $120M
• Cost per record = $15.71 - $80
Page 33
Some Estimates of Cost: Larger Breaches
South Carolina Department of Revenue (October, 2012), as of 11/08/2012:
• 3.8M individual tax returns exposed – up from 3.6M • 657,000 business returns exposed• Two pronged attack – phish and malware• Data were not encrypted – Governor of SC stated it was
best practice not to encrypt• Outside forensics and legal have been retained• Total cost estimated to be $12M - $18M• Cost per record = $3 - 5
Page 34
Some Estimates of Cost: Correlations
• Measured on a per record basis, the cost per record declines as the size of the breach increases
• Measured on a total cost basis, the total cost increases as the number of exposed records increases
• Both of these correlations are weak
Page 35
Some Estimates of Cost: Ponemon Correlations
Page 36
Some Estimates of Cost: Ponemon Correlations
Page 37
Some Estimates of Cost: Ponemon + Other Data Correlations
Page 38
Some Estimates of Cost: Ponemon + Other Data Correlations
Page 39
Some Estimates of Cost: Ponemon + Other Data Correlations
Page 40
Some Estimates of Cost: Ponemon + Other Data Correlations
Page 41
Some Estimates of Cost: Ponemon + Other Data Correlations
Page 42
Some Estimates of Cost: Ponemon + Other Data Correlations
Normal Copula Correlation: Variable 1 = records, Variable 2 = Total Cost
Page 43
Some Estimates of Cost: Ponemon + Other Data Correlations
Page 44
Some Estimates of Cost: Ponemon + Other Data Correlations
Page 45
Some Estimates of Cost: Ponemon + Other Data Correlations
Page 46
Some Estimates of Cost: Ponemon + Other Data Correlations
Page 47
Are There Patterns in the Data?Log10 Frequency of Exposed Records
Page 48
Are the Patterns in the Data? Beta4 Distribution with Uncertainty
Page 49
Are there Patterns in the Data? Beta4 Quantile-Quantile (Q-Q) Plot
Page 50
Are there Patterns in the Data? Levy Distribution – a very poor fit
Page 51
Are There Patterns in the Data? Future Research
Model breach cost by size of breach, using a scale that is logarithmic (mostly):
• <5K records• 5K – 100K records• 100K – 1M records• 1M – 10M records• 10M – 100M records• >100M records
Page 52
Wrap-up
• We have covered many topics today. To summarize:
• Breaches can involve many types of data:
• To date, most reported breaches deal with PII, PHI, and credit card data.
• For many of these breaches, the number of records exposed is not reported, often because the number is unknown.
• Intellectual property breaches are seldom reported, possibly because they are so difficult to detect.
Page 53
Wrap-up
• Breaches involve many types of costs:
• In the largest credit card breaches, the majority of costs are due to settlements with the card brands.
• A PHI breach may result in fines that seem disproportionate to the number of records exposed.
• Per-record metrics are appropriate for some types of breaches (PII, PHI, CCard), but not others (IP).
• Brand damage and loss of stock value are difficult to measure, and, in some cases, do not appear to exist.
Page 54
Wrap-up
• The costs of a data breach can range from nothing to over $170 million.
• Breaches that are never detected cost nothing – nothing that can be measured, at least.
• Per the numbers from the 2011 Ponemon Institute Cost of Breach study, there is a wide variation in total breach cost: from $500K to over $20 million.
• For breaches that expose more than 1 million records, the reported costs per record vary greatly, ranging from as little as $0.90 (HPS) per record to as much as $80 per record (GP).
Page 55
Wrap-up
• There may be patterns in the data that can help us predict the cost of a breach, should it happen to us:
• The numbers of records exposed in reported breaches appear to follow a lognormal distribution.
• Although the correlations are not strong, total costs increase and per-record costs decrease as the number of exposed records increases.
• As breach size increases, some costs appear to scale more than others: forensics = less, notifications = more, credit monitoring = more, fines & judgments = more, customer loss = unknown
QUESTIONS
One Alewife Center, Suite 450
Cambridge, MA 02140
PHONE 617.206.3900
WWW.CO3SYS.COM
“Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.”
PC MAGAZINE, EDITOR’S CHOICE
“Co3…defines what software packages for privacy look like.”
GARTNER
“Platform is comprehensive, user friendly, and very well designed.”
PONEMON INSTITUTE
Patrick Florer
Co-Founder & CTO
Risk Centric Security, Inc.
214-828-1172
www.riskcentricsecurity.com
APPENDIX
Page 59
What kinds of data might be exposed?
Operational Data:
• Unpublished phone numbers• Private email addresses• HR data about employees• Passwords and login credentials• Certificates• Encryption keys• Tokenization data• Network and infrastructure data
Page 60
What kinds of data might be exposed?
Intellectual Property:
• Company confidential information• Financial information• Merger, acquisition, divestiture, marketing, and other plans• Product designs, plans, formulas, recipes
Page 61
What kinds of data might be exposed?
Financial information:
• Credit / debit card data• Bank account and transit routing data• Financial trading account data• ACH credentials and data
Page 62
What is PII in the European Union?
Personally Identifiable Information (PII):
• A term similar to PII, "personal data" is defined in EU directive 95/46/EC, for the purposes of the directive:[4]
Article 2a: 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
from wikipedia.com
Page 63
What is Protected Health Information (PHI)?
• PHI that is linked based on the following list of 18 identifiers must be treated with special care according to HIPAA:• Names• All geographical subdivisions smaller than a State, including street address,
city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
• Dates (other than year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
• Phone numbers
Page 64
What is Protected Health Information (PHI)?
Protected Health Information (PHI):• Fax numbers• Electronic mail addresses• Social Security numbers• Medical record numbers• Health plan beneficiary numbers• Account numbers• Certificate/license numbers• Vehicle identifiers and serial numbers, including license plate numbers;• Device identifiers and serial numbers;• Web Uniform Resource Locators (URLs)• Internet Protocol (IP) address numbers• Biometric identifiers, including finger, retinal and voice prints• Full face photographic images and any comparable images• Any other unique identifying number, characteristic, or code (note this does not
mean the unique code assigned by the investigator to code the data)
Page 65
How do we estimate costs – Intellectual Property
How to value?• Fair Market Value• Cost to Create• Historical Value
Methodologies:• Cost Approach: Reproduction or Replacement• Market Approach• Income Approach• Relief from Royalty Approach• Technology Factor