Deconstructing The Cost Of A Data Breach

on

  • 316 views

An analysis of the many factors to be considered when talking about data breaches.

An analysis of the many factors to be considered when talking about data breaches.

Statistics

Views

Total Views
316
Views on SlideShare
306
Embed Views
10

Actions

Likes
0
Downloads
1
Comments
0

2 Embeds 10

http://www.linkedin.com 8
https://www.linkedin.com 2

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Deconstructing The Cost Of A Data Breach Presentation Transcript

  • 1. Risk Centric Security, Inc. www.riskcentricsecurity.com Authorized reseller of ModelRisk from Vose SoftwareRisk Centric Security, Inc. Confidential and Proprietary . Risk Analysis for the 21st Century®Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
  • 2. Patrick Florer has worked in information technology for32 years. In addition, he worked a parallel track inmedical outcomes research, analysis, and the creation ofevidence-based guidelines for medical treatment. Hisroles have included IT operations, programming, andsystems analysis. From 1986 until now, he has worked asan independent consultant, helping customers withstrategic development, analytics, risk analysis, anddecision analysis. He is a cofounder of Risk CentricSecurity and currently serves as Chief Technology Officer. Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
  • 3. What is a breach? What are data? What kinds of costs are we talking about? Whose costs are we talking about? How do we estimate costs / impact?Risk Centric Security, Inc. Confidential and Proprietary.Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
  • 4. .breach1. a. An opening, a tear, or a rupture. b. A gap or rift, especially in or as if in a solid structure such as a dike or fortification.2. A violation or infraction, as of a law, a legal obligation, or a promise.3. A breaking up or disruption of friendly relations; an estrangement.4. A leap of a whale from the water.5. The breaking of waves or surf.The American Heritage® Dictionary of the English Language, Fourth Edition copyright ©2000 byHoughton Mifflin Company. Updated in 2009. Published by Houghton Mifflin Company. All rightsreserved Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
  • 5. .breach1. a crack, break, or rupture2. a breaking, infringement, or violation of a promise, obligation, etc3. any severance or separation4. (Military) a gap in an enemys fortifications or line of defense created by bombardment or attack5. (Life Sciences & Allied Applications / Zoology) the act of a whale in breaking clear of the water6. (Earth Sciences / Physical Geography) the breaking of sea waves on a shore or rock7. (Medicine / Pathology) an obsolete word for wound1Collins English Dictionary – Complete and Unabridged © HarperCollins Publishers 1991, 1994, 1998,2000, 2003 Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved..
  • 6. .breach1. the act or a result of breaking; break or rupture.2. an infraction or violation, as of a law, trust, faith, or promise.3. a gap made in a wall, fortification, line of soldiers, etc.; rift; fissure.4. a severance of friendly relations.5. the leap of a whale above the surface of the water.www.dictionary.com Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
  • 7. .Data Breach:A data breach is an incident in which sensitive, protected orconfidential data has potentially been viewed, stolen or used byan individual unauthorized to do so. Data breaches may involvepersonal health information (PHI), personally identifiableinformation (PII), trade secrets or intellectual property.The law is evolving – basically a breach is an unauthorized use of acomputer system.Many prosecutions take place under provisions of the Computer Fraud and Abuse Act (CFAA) Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
  • 8. .Data Breach:Is the concept of a breach too narrow to describe many types ofevents?Do we need different words and concepts?• A single event at a single point in time?• What about an attack that exfiltrates data over a long period of time? Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
  • 9. Operational Data Intellectual Property Financial Information Personal Information Personally Identifiable Information (PII) Protected Health Information (PHI)Risk Centric Security, Inc. Confidential and Proprietary.Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
  • 10. Operational Data: • Unpublished phone numbers • Private email addresses • Passwords and login credentials • Certificates • Encryption keys • Tokenization data • Network and infrastructure data Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
  • 11. Intellectual Property: • Company confidential information • Financial information • Merger, acquisition, divestiture, marketing, and other plans • Product designs, plans, formulas, recipes • HR data about employees Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
  • 12. Financial Information: • Credit / debit card data • Bank account and transit routing data • Financial trading account data • ACH credentials and data Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
  • 13. Personally Information:Data that identify a person that are not consideredprotected: • Name • Address • Phone number • Email address • Facebook name • Twitter handle Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
  • 14. Personally Identifiable Information (PII): The U.S. government used the term "personally identifiable" in 2007 in a memorandum from the Executive Office of the President, Office of Management and Budget (OMB),[2] and that usage now appears in US standards such as the NIST Guide to Protecting the Confidentiality of Personally Identifiable Information (SP 800-122).[3] The OMB memorandum defines PII as follows: • Information which can be used to distinguish or trace an individuals identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc. from wikipedia.com Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
  • 15. Personally Identifiable Information (PII):A term similar to PII, "personal data" is defined in EU directive95/46/EC, for the purposes of the directive:[4] Article 2a: personal data shall mean any information relating to an identified or identifiable natural person (data subject); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity; From wikipedia.com: Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
  • 16. Personally Identifiable Information (PII): According to the OMB, it is not always the case that PII is "sensitive", and context may be taken into account in deciding whether certain PII is or is not sensitive.Was the Epsilon breach a “breach”?Have there been other “non-breach” breaches?Given the powerful correlations that can be made,are these definitions too narrow? Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
  • 17. Protected Health Information (PHI): Protected health information (PHI), under the US Health Insurance Portability and Accountability Act (HIPAA), is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. This is interpreted rather broadly and includes any part of a patient’s medical record or payment history. Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
  • 18. Protected Health Information (PHI):PHI that is linked based on the following list of 18 identifiers mustbe treated with special care according to HIPAA:• Names• All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000• Dates (other than year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older• Phone numbers Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
  • 19. Protected Health Information (PHI):• Fax numbers• Electronic mail addresses• Social Security numbers• Medical record numbers• Health plan beneficiary numbers• Account numbers• Certificate/license numbers• Vehicle identifiers and serial numbers, including license plate numbers;• Device identifiers and serial numbers;• Web Uniform Resource Locators (URLs)• Internet Protocol (IP) address numbers• Biometric identifiers, including finger, retinal and voice prints• Full face photographic images and any comparable images• Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data) Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
  • 20. Costs that we should be able to discover and/or estimate Costs that might be difficult to discover and/or estimateRisk Centric Security, Inc. Confidential and Proprietary.Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
  • 21. Costs that we should be able to discover and/orestimate: • Lost productivity • Incident response and forensics costs • Costs of replacing lost or damaged hardware, software, or information • Public relations costs • Legal costs • Costs of sending letters to notify customers and business partners • Costs of providing credit monitoring • Fines from governmental action (HIPAA/HITECH, FTC, State Attorneys General, etc.) Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
  • 22. Costs that we should be able to discover and/orestimate: • Fines and indemnifications imposed by contracts with business partners • Contractual fines and penalties resulting from PCI DSS related incidents - either data loss or compliance failure • Judgments and legal settlements - customers, business partners, shareholders • Additional compliance and audit costs related to legal settlements (20 years of additional reporting, for example) Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
  • 23. Costs that might be difficult to discover and/or estimate: • Loss of competitive advantage • Loss of shareholder value • Reputation loss • Opportunity and Sales losses from customers and business partners who went elsewhere • Value of intellectual property Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
  • 24. • Breached entity? • Shareholders? • Citizens / the public at large? • Card brands? • Issuing banks? • Customers? • Business partners? • Consumers? • Taxpayers (law enforcement costs)?Risk Centric Security, Inc. Confidential and Proprietary.Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
  • 25. Fixed / Overall Costs Per record costs: • Direct/Primary • Indirect/Secondary • Variable costs that scale with magnitude of breachRisk Centric Security, Inc. Confidential and Proprietary.Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
  • 26. How to value? • Fair Market Value • Fair Value • Historical Value Methodologies: • Cost Approach • Market Approach • Income Approach • Relief from Royalty Approach • Technology FactorRisk Centric Security, Inc. Confidential and Proprietary.Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
  • 27. How do we know about data breaches? • Victim notifications • News media • Securities and Exchange Commission (SEC) filings • Department of Justice (DOJ) indictments • HIPAA/HITECH Office of Civil Rights (OCR) actions • FTC actions • Press releasesDisclosure laws• HIPAA/HITECH• State breach laws• New SEC Guidance re “material” impact Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
  • 28. Research projects: • Datalossdb.org (www.datalossdb.org) • Identity Theft Resource Center (www.idtheftcenter.org) • Office of Inadequate Security (www.databreaches.net)Published reports: • Cisco • Mandiant • Ponemon Institute • Sophos • Symantec • Verizon Business DBIR • X-Force (IBM) Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
  • 29. Non-public sources: • Forensics Investigators • Card Brands • Payment Processors • Subscription services • Data sharing consortia – Information Sharing and Analysis Centers (ISAC’s) • Government Intelligence agencies • Word of mouth and anecdotal evidence Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
  • 30. Thank you ! Patrick Florer CTO and Co-founder Risk Centric Security, Inc patrick@riskcentricsecurity.com Risk Analysis for the 21st Century ® 214.828.1172 Authorized reseller of ModelRisk from Vose Software To provide feedback on this presentation:https://www.surveymonkey.com/sourceboston12Risk Centric Security, Inc. Confidential and Proprietary.Copyright © 2012 Risk Centric Security, Inc . All rights reserved.