Co3 rsc r5


Published on

A discussion of the elements and costs of a data breach

Published in: Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Co3 rsc r5

  1. 1. Deconstructing theCost of a Data Breach
  2. 2. Agenda• Introductions• Deconstructing the cost of a data breach: • Data breaches can involve many types of data. • Data breaches can involve many types of costs. • The costs of a data breach can range from zero to more than $170 million.• Q&A Page 2
  3. 3. Introductions: Today’s Speakers• Ted Julian, Chief Marketing Officer, Co3 Systems • Security / compliance entrepreneur • Security industry analyst• Patrick Florer, Co-Founder & CTO, Risk Centric Security • Fellow of and Chief Research Analyst at the Ponemon Institute. • 32 years of IT experience, including roles in IT operations, development, and systems analysis • 17 years in parallel working in medical outcomes research, analysis, and the creation of evidence-based guidelines for medical treatment Page 3
  4. 4. Co3 Automates Breach ManagementPREPARE ASSESSImprove Organizational Quantify Potential Impact,Readiness Support Privacy Impact• Assign response team Assessments• Describe environment • Track events• Simulate events and incidents • Scope regulatory requirements• Focus on organizational gaps • See $ exposure • Send notice to team • Generate Impact AssessmentsREPORT MANAGEDocument Results and Easily Generate DetailedTrack Performance Incident Response Plans• Document incident results • Escalate to complete IR plan• Track historical performance • Oversee the complete plan• Demonstrate organizational • Assign tasks: who/what/when preparedness • Notify regulators and clients• Generate audit/compliance reports • Monitor progress to completion Page 4
  5. 5. About Risk Centric Security• Risk Centric Security offers state of the art SaaS tools and training that empower Information Security Professionals to perform credible, defensible, and reproducible risk and decision analyses, and to articulate the results and relevance of these analyses in language that business counterparts will understand.• Risk Centric Security was founded by two Information Technology and Information Security veterans who have more than forty years of combined experience providing solutions to complex problems for smaller companies as well as for companies in the Fortune 1000.Risk Centric Security, Inc.www.riskcentricsecurity.comAuthorized reseller of ModelRisk from Vose Software Page 5
  6. 6. What is a data breach? Data Breach: • A data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property. • The law is evolving – basically a breach is an unauthorized use of a computer system. • Many prosecutions take place under provisions of the Computer Fraud and Abuse Act (CFAA). • Data breaches can also happen by accident or error. Page 6
  7. 7. What is a data breach?Data Breach:• Is the concept of a breach too narrow to describe many types of events?• Do we need different words and concepts? -A single event at a single point in time? -What about an attack that exfiltrates data over a long period of time? Page 7
  8. 8. What kinds of data might be exposed? • Operational Data • Intellectual Property • Financial Information • Personally Identifiable Information (PII) • Protected Health Information (PHI) Page 8
  9. 9. What kinds of data might be exposed?Personally Identifiable Information (PII):• The U.S. government used the term "personally identifiable" in 2007 in a memorandum from the Executive Office of the President, Office of Management and Budget (OMB, and that usage now appears in US standards such as the NIST Guide to Protecting the Confidentiality of Personally Identifiable Information (SP 800-122). The OMB memorandum defines PII as follows: • Information which can be used to distinguish or trace an individuals identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc. Page 9
  10. 10. What data aren’t PII?• Data that identify a person that are not considered protected: • Name • Address • Phone number • Email address – things are changing with regard to e-mail addresses • Facebook name • Twitter handle Page 10
  11. 11. Is it PII or not? Personally Identifiable Information (PII): • According to the OMB, it is not always the case that PII is "sensitive", and context may be taken into account in deciding whether certain PII is or is not sensitive. • Geo-location data? • Was the Epsilon breach a “breach”? • Have there been other “non-breach” breaches? • Given the powerful correlations that can be made, are these definitions too narrow? Page 11
  12. 12. What kinds of data might be exposed?Protected Health Information (PHI): Protected health information (PHI), under the US Health Insurance Portability and Accountability Act (HIPAA), is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. This is interpreted rather broadly and includes any part of a patient’s medical record or payment history. Page 12
  13. 13. POLL
  14. 14. What costs are we going to discuss? • Direct and Indirect Costs? • Primary and Secondary Costs? • Costs that we should be able to discover and/or estimate. • Costs that might be difficult to discover and/or estimate. Page 14
  15. 15. What costs are we going to discuss?Costs that we should be able to discover and/orestimate: • Lost productivity • Incident response and forensics costs • Costs of replacing lost or damaged hardware, software, or information • Public relations costs • Legal costs • Costs of sending letters to notify customers and business partners • Costs of providing credit monitoring • Fines from governmental action (HIPAA/HITECH, FTC, State Attorneys General, etc.) Page 15
  16. 16. What costs are we going to discuss?Costs that we should be able to discover and/orestimate: • Fines and indemnifications imposed by contracts with business partners • Contractual fines and penalties resulting from PCI DSS related incidents - either data loss or compliance failure • Judgments and legal settlements - customers, business partners, shareholders • Additional compliance and audit costs related to legal settlements (20 years of additional reporting, for example) Page 16
  17. 17. What costs are we going to discuss?Costs that might be difficult to discover and/orestimate: • Loss of competitive advantage • Loss of shareholder value • Reputation loss • Opportunity and Sales losses from customers and business partners who went elsewhere • Value of intellectual property Page 17
  18. 18. Whose costs are we going to discuss? • Breached entity? • Shareholders? • Citizens / the public at large? • Card brands? • Issuing banks? • Customers? • Business partners? • Consumers? • Taxpayers (law enforcement costs)? Page 18
  19. 19. How do we measure and estimate costs? • Fixed / Overall Costs  Per record costs • Direct/Primary • Indirect/Secondary • Variable costs that scale with magnitude of breach Page 19
  20. 20. Sources of DataHow do we know about data breaches? • Victim notifications • News media • Securities and Exchange Commission (SEC) filings • Department of Justice (DOJ) indictments • HIPAA/HITECH Office of Civil Rights (OCR) actions • FTC actions • Press releasesDisclosure laws • HIPAA/HITECH • State breach laws • New SEC Guidance re “material” impact Page 20
  21. 21. Sources of DataResearch projects: • ( • Identity Theft Resource Center ( • Office of Inadequate Security (Published reports: • Cisco • Mandiant • Ponemon Institute • Sophos • Symantec • Verizon Business DBIR • X-Force (IBM) Page 21
  22. 22. Sources of DataNon-public sources: • Forensics Investigators • Card Brands • Payment Processors • Subscription services • Data sharing consortia – Information Sharing and Analysis Centers (ISAC’s) • Government Intelligence agencies • Word of mouth and anecdotal evidence Page 22
  23. 23. Some Estimates of CostPonemon Institute 2011 Cost of Data Breach Study: United States • 49 Companies surveyed – multiple people per company. • Breach sizes ranged from 5K – 100K exposed records. • Participants estimated the minimum and maximum amounts for a number of costs, from which the mid-point value was selected. • According to some legal experts, Ponemon Institute numbers are the “gold” standard in the Federal Courts. • The raw data are published in the report appendix. Page 23
  24. 24. POLL
  25. 25. Some Estimates of Cost: Ponemon InstituteIn the 2011 report: • Overall weighted average per record = $194 (down from $214 in 2010) • Overall average total = $5.5 M (down from $7.2M in 2011) Page 25
  26. 26. Some Estimates of Cost: Ponemon Institute Page 26
  27. 27. Some Estimates of Cost: Ponemon Institute Page 27
  28. 28. Some Estimates of Cost: Larger BreachesDSW Shoes (2005): • 1.4 million records / $6.5M – $9.5M (press releases) • Cost per record = $4.64 – $6.79 Page 28
  29. 29. Some Estimates of Cost: Larger BreachesTJX (Dec, 2007): • 90 million records / $171M – $191M (SEC filings) • Accelerated CapEx = $250M (rumored) • Cost per record = $1.90 – $2.12 Page 29
  30. 30. Some Estimates of Cost: Larger BreachesHeartland Payment Systems (Dec, 2009): • 130 million records / $114 -$117M, after $31.2M recovery from insurance (SEC filings) • Cost per record = ~$0.90 Page 30
  31. 31. Some Estimates of Cost: Larger BreachesSony (Mar, 2011): • 100 million records / $171M (Sony press release) • Cost per record = $1.71 Page 31
  32. 32. Some Estimates of Cost: Larger BreachesGlobal Payments (June, 2011): • 1.5 - 7 million records / $84.4M in 2012, $55 - $65M in 2013 (SEC filings) • Up to $30M recovered through insurance (SEC filings) • Total cost estimated to be $110M - $120M • Cost per record = $15.71 - $80 Page 32
  33. 33. Some Estimates of Cost: Larger BreachesSouth Carolina Department of Revenue (October, 2012), as of 11/08/2012: • 3.8M individual tax returns exposed – up from 3.6M • 657,000 business returns exposed • Two pronged attack – phish and malware • Data were not encrypted – Governor of SC stated it was best practice not to encrypt • Outside forensics and legal have been retained • Total cost estimated to be $12M - $18M • Cost per record = $3 - 5 Page 33
  34. 34. Some Estimates of Cost: Correlations• Measured on a per record basis, the cost per record declines as the size of the breach increases• Measured on a total cost basis, the total cost increases as the number of exposed records increases• Both of these correlations are weak Page 34
  35. 35. Some Estimates of Cost: Ponemon Correlations Page 35
  36. 36. Some Estimates of Cost: Ponemon Correlations Page 36
  37. 37. Some Estimates of Cost: Ponemon + Other DataCorrelations Page 37
  38. 38. Some Estimates of Cost: Ponemon + Other DataCorrelations Page 38
  39. 39. Some Estimates of Cost: Ponemon + Other DataCorrelations Page 39
  40. 40. Some Estimates of Cost: Ponemon + Other DataCorrelations Page 40
  41. 41. Some Estimates of Cost: Ponemon + Other DataCorrelations Page 41
  42. 42. Some Estimates of Cost: Ponemon + Other DataCorrelations Normal Copula Correlation: Variable 1 = records, Variable 2 = Total Cost Page 42
  43. 43. Some Estimates of Cost: Ponemon + Other DataCorrelations Page 43
  44. 44. Some Estimates of Cost: Ponemon + Other DataCorrelations Page 44
  45. 45. Some Estimates of Cost: Ponemon + Other DataCorrelations Page 45
  46. 46. Some Estimates of Cost: Ponemon + Other DataCorrelations Page 46
  47. 47. Are There Patterns in the Data?Log10 Frequency of Exposed Records Page 47
  48. 48. Are the Patterns in the Data? Beta4 Distribution withUncertainty Page 48
  49. 49. Are there Patterns in the Data? Beta4 Quantile-Quantile (Q-Q) Plot Page 49
  50. 50. Are there Patterns in the Data? Levy Distribution – avery poor fit Page 50
  51. 51. Are There Patterns in the Data? Future ResearchModel breach cost by size of breach, using a scale that is logarithmic (mostly): • <5K records • 5K – 100K records • 100K – 1M records • 1M – 10M records • 10M – 100M records • >100M records Page 51
  52. 52. Wrap-up• We have covered many topics today. To summarize: • Breaches can involve many types of data: • To date, most reported breaches deal with PII, PHI, and credit card data. • For many of these breaches, the number of records exposed is not reported, often because the number is unknown. • Intellectual property breaches are seldom reported, possibly because they are so difficult to detect. Page 52
  53. 53. Wrap-up • Breaches involve many types of costs: • In the largest credit card breaches, the majority of costs are due to settlements with the card brands. • A PHI breach may result in fines that seem disproportionate to the number of records exposed. • Per-record metrics are appropriate for some types of breaches (PII, PHI, CCard), but not others (IP). • Brand damage and loss of stock value are difficult to measure, and, in some cases, do not appear to exist. Page 53
  54. 54. Wrap-up• The costs of a data breach can range from nothing to over $170 million. • Breaches that are never detected cost nothing – nothing that can be measured, at least. • Per the numbers from the 2011 Ponemon Institute Cost of Breach study, there is a wide variation in total breach cost: from $500K to over $20 million. • For breaches that expose more than 1 million records, the reported costs per record vary greatly, ranging from as little as $0.90 (HPS) per record to as much as $80 per record (GP). Page 54
  55. 55. Wrap-up• There may be patterns in the data that can help us predict the cost of a breach, should it happen to us: • The numbers of records exposed in reported breaches appear to follow a lognormal distribution. • Although the correlations are not strong, total costs increase and per-record costs decrease as the number of exposed records increases. • As breach size increases, some costs appear to scale more than others: forensics = less, notifications = more, credit monitoring = more, fines & judgments = more, customer loss = unknown Page 55
  56. 56. QUESTIONS
  57. 57. “Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.” PC MAGAZINE, EDITOR’S CHOICEOne Alewife Center, Suite 450 “Co3…defines what software packagesCambridge, MA 02140 for privacy look like.”PHONE 617.206.3900 GARTNERWWW.CO3SYS.COM “Platform is comprehensive, user friendly, and very well designed.” PONEMON INSTITUTE Patrick Florer Co-Founder & CTO Risk Centric Security, Inc. 214-828-1172
  58. 58. APPENDIX
  59. 59. What kinds of data might be exposed?Operational Data: • Unpublished phone numbers • Private email addresses • HR data about employees • Passwords and login credentials • Certificates • Encryption keys • Tokenization data • Network and infrastructure data Page 59
  60. 60. What kinds of data might be exposed?Intellectual Property: • Company confidential information • Financial information • Merger, acquisition, divestiture, marketing, and other plans • Product designs, plans, formulas, recipes Page 60
  61. 61. What kinds of data might be exposed?Financial information: • Credit / debit card data • Bank account and transit routing data • Financial trading account data • ACH credentials and data Page 61
  62. 62. What is PII in the European Union?Personally Identifiable Information (PII):• A term similar to PII, "personal data" is defined in EU directive 95/46/EC, for the purposes of the directive:[4] Article 2a: personal data shall mean any information relating to an identified or identifiable natural person (data subject); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;from Page 62
  63. 63. What is Protected Health Information (PHI)?• PHI that is linked based on the following list of 18 identifiers must be treated with special care according to HIPAA: • Names • All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000 • Dates (other than year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older • Phone numbers Page 63
  64. 64. What is Protected Health Information (PHI)?  Protected Health Information (PHI): • Fax numbers • Electronic mail addresses • Social Security numbers • Medical record numbers • Health plan beneficiary numbers • Account numbers • Certificate/license numbers • Vehicle identifiers and serial numbers, including license plate numbers; • Device identifiers and serial numbers; • Web Uniform Resource Locators (URLs) • Internet Protocol (IP) address numbers • Biometric identifiers, including finger, retinal and voice prints • Full face photographic images and any comparable images • Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data) Page 64
  65. 65. How do we estimate costs – Intellectual PropertyHow to value? • Fair Market Value • Cost to Create • Historical ValueMethodologies: • Cost Approach: Reproduction or Replacement • Market Approach • Income Approach • Relief from Royalty Approach • Technology Factor Page 65