SlideShare a Scribd company logo

Deconstructing Data Breach Cost

Download as PPTX, PDF
Resilient Systems
Resilient Systems

This document provides an overview of the costs associated with data breaches. It begins by introducing the speakers and the agenda. It then discusses what constitutes a data breach and the types of data that may be exposed, such as PII, PHI, intellectual property, and financial information. The document explores the various direct and indirect costs of a breach for different entities. It provides examples of cost estimates from past breaches, which range from thousands to over $170 million depending on the size and type of breach. Patterns in breach cost data are examined, though correlations are weak. Overall, the document deconstructs the complexities involved in understanding and estimating the full costs of a data breach.

Technology
1 of 65
Deconstructing the Cost of a Data Breach
Agenda • Introductions • Deconstructing the cost of a data breach: • Data breaches can involve many types of data. • Data breaches can involve many types of costs. • The costs of a data breach can range from zero to more than $170 million. • Q&A Page 2
Introductions: Today’s Speakers • Ted Julian, Chief Marketing Officer, Co3 Systems • Security / compliance entrepreneur • Security industry analyst • Patrick Florer, Co-Founder & CTO, Risk Centric Security • Fellow of and Chief Research Analyst at the Ponemon Institute. • 32 years of IT experience, including roles in IT operations, development, and systems analysis • 17 years in parallel working in medical outcomes research, analysis, and the creation of evidence-based guidelines for medical treatment Page 3
Co3 Automates Breach Management PREPARE ASSESS Improve Organizational Quantify Potential Impact, Readiness Support Privacy Impact • Assign response team Assessments • Describe environment • Track events • Simulate events and incidents • Scope regulatory requirements • Focus on organizational gaps • See $ exposure • Send notice to team • Generate Impact Assessments REPORT MANAGE Document Results and Easily Generate Detailed Track Performance Incident Response Plans • Document incident results • Escalate to complete IR plan • Track historical performance • Oversee the complete plan • Demonstrate organizational • Assign tasks: who/what/when preparedness • Notify regulators and clients • Generate audit/compliance reports • Monitor progress to completion Page 4
About Risk Centric Security • Risk Centric Security offers state of the art SaaS tools and training that empower Information Security Professionals to perform credible, defensible, and reproducible risk and decision analyses, and to articulate the results and relevance of these analyses in language that business counterparts will understand. • Risk Centric Security was founded by two Information Technology and Information Security veterans who have more than forty years of combined experience providing solutions to complex problems for smaller companies as well as for companies in the Fortune 1000. Risk Centric Security, Inc. www.riskcentricsecurity.com Authorized reseller of ModelRisk from Vose Software Page 5
What is a data breach?  Data Breach: • A data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property. • The law is evolving – basically a breach is an unauthorized use of a computer system. • Many prosecutions take place under provisions of the Computer Fraud and Abuse Act (CFAA). • Data breaches can also happen by accident or error. Page 6
What is a data breach? Data Breach: • Is the concept of a breach too narrow to describe many types of events? • Do we need different words and concepts? -A single event at a single point in time? -What about an attack that exfiltrates data over a long period of time? Page 7
What kinds of data might be exposed? • Operational Data • Intellectual Property • Financial Information • Personally Identifiable Information (PII) • Protected Health Information (PHI) Page 8
What kinds of data might be exposed? Personally Identifiable Information (PII): • The U.S. government used the term "personally identifiable" in 2007 in a memorandum from the Executive Office of the President, Office of Management and Budget (OMB, and that usage now appears in US standards such as the NIST Guide to Protecting the Confidentiality of Personally Identifiable Information (SP 800-122). The OMB memorandum defines PII as follows: • Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc. Page 9
What data aren’t PII? • Data that identify a person that are not considered protected: • Name • Address • Phone number • Email address – things are changing with regard to e-mail addresses • Facebook name • Twitter handle Page 10
Is it PII or not?  Personally Identifiable Information (PII): • According to the OMB, it is not always the case that PII is "sensitive", and context may be taken into account in deciding whether certain PII is or is not sensitive. • Geo-location data? • Was the Epsilon breach a “breach”? • Have there been other “non-breach” breaches? • Given the powerful correlations that can be made, are these definitions too narrow? Page 11
What kinds of data might be exposed? Protected Health Information (PHI): Protected health information (PHI), under the US Health Insurance Portability and Accountability Act (HIPAA), is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. This is interpreted rather broadly and includes any part of a patient’s medical record or payment history. Page 12
POLL
What costs are we going to discuss? • Direct and Indirect Costs? • Primary and Secondary Costs? • Costs that we should be able to discover and/or estimate. • Costs that might be difficult to discover and/or estimate. Page 14
What costs are we going to discuss? Costs that we should be able to discover and/or estimate: • Lost productivity • Incident response and forensics costs • Costs of replacing lost or damaged hardware, software, or information • Public relations costs • Legal costs • Costs of sending letters to notify customers and business partners • Costs of providing credit monitoring • Fines from governmental action (HIPAA/HITECH, FTC, State Attorneys General, etc.) Page 15
What costs are we going to discuss? Costs that we should be able to discover and/or estimate: • Fines and indemnifications imposed by contracts with business partners • Contractual fines and penalties resulting from PCI DSS related incidents - either data loss or compliance failure • Judgments and legal settlements - customers, business partners, shareholders • Additional compliance and audit costs related to legal settlements (20 years of additional reporting, for example) Page 16
What costs are we going to discuss? Costs that might be difficult to discover and/or estimate: • Loss of competitive advantage • Loss of shareholder value • Reputation loss • Opportunity and Sales losses from customers and business partners who went elsewhere • Value of intellectual property Page 17
Whose costs are we going to discuss? • Breached entity? • Shareholders? • Citizens / the public at large? • Card brands? • Issuing banks? • Customers? • Business partners? • Consumers? • Taxpayers (law enforcement costs)? Page 18
How do we measure and estimate costs? • Fixed / Overall Costs  Per record costs • Direct/Primary • Indirect/Secondary • Variable costs that scale with magnitude of breach Page 19
Sources of Data How do we know about data breaches? • Victim notifications • News media • Securities and Exchange Commission (SEC) filings • Department of Justice (DOJ) indictments • HIPAA/HITECH Office of Civil Rights (OCR) actions • FTC actions • Press releases Disclosure laws • HIPAA/HITECH • State breach laws • New SEC Guidance re “material” impact Page 20
Sources of Data Research projects: • Datalossdb.org (www.datalossdb.org) • Identity Theft Resource Center (www.idtheftcenter.org) • Office of Inadequate Security (www.databreaches.net) Published reports: • Cisco • Mandiant • Ponemon Institute • Sophos • Symantec • Verizon Business DBIR • X-Force (IBM) Page 21
Sources of Data Non-public sources: • Forensics Investigators • Card Brands • Payment Processors • Subscription services • Data sharing consortia – Information Sharing and Analysis Centers (ISAC’s) • Government Intelligence agencies • Word of mouth and anecdotal evidence Page 22
Some Estimates of Cost Ponemon Institute 2011 Cost of Data Breach Study: United States • 49 Companies surveyed – multiple people per company. • Breach sizes ranged from 5K – 100K exposed records. • Participants estimated the minimum and maximum amounts for a number of costs, from which the mid-point value was selected. • According to some legal experts, Ponemon Institute numbers are the “gold” standard in the Federal Courts. • The raw data are published in the report appendix. Page 23
POLL
Some Estimates of Cost: Ponemon Institute In the 2011 report: • Overall weighted average per record = $194 (down from $214 in 2010) • Overall average total = $5.5 M (down from $7.2M in 2011) Page 25
Some Estimates of Cost: Ponemon Institute Page 26
Some Estimates of Cost: Ponemon Institute Page 27
Some Estimates of Cost: Larger Breaches DSW Shoes (2005): • 1.4 million records / $6.5M – $9.5M (press releases) • Cost per record = $4.64 – $6.79 Page 28
Some Estimates of Cost: Larger Breaches TJX (Dec, 2007): • 90 million records / $171M – $191M (SEC filings) • Accelerated CapEx = $250M (rumored) • Cost per record = $1.90 – $2.12 Page 29
Some Estimates of Cost: Larger Breaches Heartland Payment Systems (Dec, 2009): • 130 million records / $114 -$117M, after $31.2M recovery from insurance (SEC filings) • Cost per record = ~$0.90 Page 30
Some Estimates of Cost: Larger Breaches Sony (Mar, 2011): • 100 million records / $171M (Sony press release) • Cost per record = $1.71 Page 31
Some Estimates of Cost: Larger Breaches Global Payments (June, 2011): • 1.5 - 7 million records / $84.4M in 2012, $55 - $65M in 2013 (SEC filings) • Up to $30M recovered through insurance (SEC filings) • Total cost estimated to be $110M - $120M • Cost per record = $15.71 - $80 Page 32
Some Estimates of Cost: Larger Breaches South Carolina Department of Revenue (October, 2012), as of 11/08/2012: • 3.8M individual tax returns exposed – up from 3.6M • 657,000 business returns exposed • Two pronged attack – phish and malware • Data were not encrypted – Governor of SC stated it was best practice not to encrypt • Outside forensics and legal have been retained • Total cost estimated to be $12M - $18M • Cost per record = $3 - 5 Page 33
Some Estimates of Cost: Correlations • Measured on a per record basis, the cost per record declines as the size of the breach increases • Measured on a total cost basis, the total cost increases as the number of exposed records increases • Both of these correlations are weak Page 34
Some Estimates of Cost: Ponemon Correlations Page 35
Some Estimates of Cost: Ponemon Correlations Page 36
Some Estimates of Cost: Ponemon + Other Data Correlations Page 37
Some Estimates of Cost: Ponemon + Other Data Correlations Page 38
Some Estimates of Cost: Ponemon + Other Data Correlations Page 39
Some Estimates of Cost: Ponemon + Other Data Correlations Page 40
Some Estimates of Cost: Ponemon + Other Data Correlations Page 41
Some Estimates of Cost: Ponemon + Other Data Correlations Normal Copula Correlation: Variable 1 = records, Variable 2 = Total Cost Page 42
Some Estimates of Cost: Ponemon + Other Data Correlations Page 43
Some Estimates of Cost: Ponemon + Other Data Correlations Page 44
Some Estimates of Cost: Ponemon + Other Data Correlations Page 45
Some Estimates of Cost: Ponemon + Other Data Correlations Page 46
Are There Patterns in the Data? Log10 Frequency of Exposed Records Page 47
Are the Patterns in the Data? Beta4 Distribution with Uncertainty Page 48
Are there Patterns in the Data? Beta4 Quantile- Quantile (Q-Q) Plot Page 49
Are there Patterns in the Data? Levy Distribution – a very poor fit Page 50
Are There Patterns in the Data? Future Research Model breach cost by size of breach, using a scale that is logarithmic (mostly): • <5K records • 5K – 100K records • 100K – 1M records • 1M – 10M records • 10M – 100M records • >100M records Page 51
Wrap-up • We have covered many topics today. To summarize: • Breaches can involve many types of data: • To date, most reported breaches deal with PII, PHI, and credit card data. • For many of these breaches, the number of records exposed is not reported, often because the number is unknown. • Intellectual property breaches are seldom reported, possibly because they are so difficult to detect. Page 52
Wrap-up • Breaches involve many types of costs: • In the largest credit card breaches, the majority of costs are due to settlements with the card brands. • A PHI breach may result in fines that seem disproportionate to the number of records exposed. • Per-record metrics are appropriate for some types of breaches (PII, PHI, CCard), but not others (IP). • Brand damage and loss of stock value are difficult to measure, and, in some cases, do not appear to exist. Page 53
Wrap-up • The costs of a data breach can range from nothing to over $170 million. • Breaches that are never detected cost nothing – nothing that can be measured, at least. • Per the numbers from the 2011 Ponemon Institute Cost of Breach study, there is a wide variation in total breach cost: from $500K to over $20 million. • For breaches that expose more than 1 million records, the reported costs per record vary greatly, ranging from as little as $0.90 (HPS) per record to as much as $80 per record (GP). Page 54
Wrap-up • There may be patterns in the data that can help us predict the cost of a breach, should it happen to us: • The numbers of records exposed in reported breaches appear to follow a lognormal distribution. • Although the correlations are not strong, total costs increase and per-record costs decrease as the number of exposed records increases. • As breach size increases, some costs appear to scale more than others: forensics = less, notifications = more, credit monitoring = more, fines & judgments = more, customer loss = unknown Page 55
QUESTIONS
“Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.” PC MAGAZINE, EDITOR’S CHOICE One Alewife Center, Suite 450 “Co3…defines what software packages Cambridge, MA 02140 for privacy look like.” PHONE 617.206.3900 GARTNER WWW.CO3SYS.COM “Platform is comprehensive, user friendly, and very well designed.” PONEMON INSTITUTE Patrick Florer Co-Founder & CTO Risk Centric Security, Inc. 214-828-1172 patrick@riskcentricsecurity.com www.riskcentricsecurity.com
APPENDIX
What kinds of data might be exposed? Operational Data: • Unpublished phone numbers • Private email addresses • HR data about employees • Passwords and login credentials • Certificates • Encryption keys • Tokenization data • Network and infrastructure data Page 59
What kinds of data might be exposed? Intellectual Property: • Company confidential information • Financial information • Merger, acquisition, divestiture, marketing, and other plans • Product designs, plans, formulas, recipes Page 60
What kinds of data might be exposed? Financial information: • Credit / debit card data • Bank account and transit routing data • Financial trading account data • ACH credentials and data Page 61
What is PII in the European Union? Personally Identifiable Information (PII): • A term similar to PII, "personal data" is defined in EU directive 95/46/EC, for the purposes of the directive:[4] Article 2a: 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity; from wikipedia.com Page 62
What is Protected Health Information (PHI)? • PHI that is linked based on the following list of 18 identifiers must be treated with special care according to HIPAA: • Names • All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000 • Dates (other than year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older • Phone numbers Page 63
What is Protected Health Information (PHI)?  Protected Health Information (PHI): • Fax numbers • Electronic mail addresses • Social Security numbers • Medical record numbers • Health plan beneficiary numbers • Account numbers • Certificate/license numbers • Vehicle identifiers and serial numbers, including license plate numbers; • Device identifiers and serial numbers; • Web Uniform Resource Locators (URLs) • Internet Protocol (IP) address numbers • Biometric identifiers, including finger, retinal and voice prints • Full face photographic images and any comparable images • Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data) Page 64
How do we estimate costs – Intellectual Property How to value? • Fair Market Value • Cost to Create • Historical Value Methodologies: • Cost Approach: Reproduction or Replacement • Market Approach • Income Approach • Relief from Royalty Approach • Technology Factor Page 65

Recommended

Protecting Client Data 11.09.11
Protecting Client Data 11.09.11Protecting Client Data 11.09.11
Protecting Client Data 11.09.11pdewitte
 
Co3 rsc r5
Co3 rsc r5Co3 rsc r5
Co3 rsc r5Patrick Florer
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2TechSoup Canada
 
How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyTechSoup Canada
 
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...Lisa Abe-Oldenburg, B.Comm., JD.
 
CMW Cyber Liability Presentation
CMW Cyber Liability PresentationCMW Cyber Liability Presentation
CMW Cyber Liability PresentationSean Graham
 
Looking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data IncidentsLooking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data IncidentsResilient Systems
 
Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013Amy Purcell
 

Recommended

Protecting Client Data 11.09.11
Protecting Client Data 11.09.11Protecting Client Data 11.09.11
Protecting Client Data 11.09.11pdewitte
 
Co3 rsc r5
Co3 rsc r5Co3 rsc r5
Co3 rsc r5Patrick Florer
 
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2
How Your Nonprofit Can Avoid Data Breaches and Ensure Privacy Part 2TechSoup Canada
 
How your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyHow your nonprofit can avoid data breaches and ensure privacy
How your nonprofit can avoid data breaches and ensure privacyTechSoup Canada
 
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...Lisa Abe-Oldenburg, B.Comm., JD.
 
CMW Cyber Liability Presentation
CMW Cyber Liability PresentationCMW Cyber Liability Presentation
CMW Cyber Liability PresentationSean Graham
 
Looking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data IncidentsLooking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data IncidentsResilient Systems
 
Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013Cyber-Security: A Shared Responsibility -- November 2013
Cyber-Security: A Shared Responsibility -- November 2013Amy Purcell
 
What is in store for e-discovery in 2015?
What is in store for e-discovery in 2015?What is in store for e-discovery in 2015?
What is in store for e-discovery in 2015?Logikcull.com
 
NumaanHuq_Hackfest2015
NumaanHuq_Hackfest2015NumaanHuq_Hackfest2015
NumaanHuq_Hackfest2015Numaan Huq
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...Casey Ellis
 
Identifying Your Agency's Vulnerabilities
Identifying Your Agency's Vulnerabilities Identifying Your Agency's Vulnerabilities
Identifying Your Agency's Vulnerabilities Emily2014
 
How Do You Create A Successful Information Security Program Hire A Great Iso!!
How Do You Create A Successful Information Security Program Hire A Great Iso!!How Do You Create A Successful Information Security Program Hire A Great Iso!!
How Do You Create A Successful Information Security Program Hire A Great Iso!!Tammy Clark
 
Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidancePrivacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidanceAmy Purcell
 
Managing and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesManaging and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesIISPEastMids
 
#7 Insurance
#7 Insurance#7 Insurance
#7 InsuranceRobert Cutbirth
 
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & InsuranceCybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & InsuranceSecureDocs
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants- Mark - Fullbright
 
Gdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulationGdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulationJames Mulhern
 
Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response PlanNext Dimension Inc.
 
The internet as a corporate security resource
The internet as a corporate security resourceThe internet as a corporate security resource
The internet as a corporate security resourceDan Michaluk
 
Protecting Your Business From Cyber Risks
Protecting Your Business From Cyber RisksProtecting Your Business From Cyber Risks
Protecting Your Business From Cyber RisksThis account is closed
 
What is Information Security and why you should care ...
What is Information Security and why you should care ...What is Information Security and why you should care ...
What is Information Security and why you should care ...James Mulhern
 
Cyber Insurance CLE
Cyber Insurance CLE Cyber Insurance CLE
Cyber Insurance CLE Sarah Stogner
 
Social media – issues and trends caus 2014
Social media – issues and trends caus 2014Social media – issues and trends caus 2014
Social media – issues and trends caus 2014Dan Michaluk
 
74 x9019 bea legal slides short form ged12.12.16
74 x9019 bea legal slides short form ged12.12.1674 x9019 bea legal slides short form ged12.12.16
74 x9019 bea legal slides short form ged12.12.16Glenn E. Davis
 
2_CyberSecurity_2d_ARMA_IG_Panel_7-14-15
2_CyberSecurity_2d_ARMA_IG_Panel_7-14-152_CyberSecurity_2d_ARMA_IG_Panel_7-14-15
2_CyberSecurity_2d_ARMA_IG_Panel_7-14-15Cary Calderone, Esq., CIPP/US
 
GDPR: Data Breach Notification and Communications
GDPR: Data Breach Notification and CommunicationsGDPR: Data Breach Notification and Communications
GDPR: Data Breach Notification and CommunicationsCharlie Pownall
 
Joyce Meyer Ministries Informational Packet
Joyce Meyer Ministries Informational PacketJoyce Meyer Ministries Informational Packet
Joyce Meyer Ministries Informational PacketRobert Langius
 
懐かし
懐かし懐かし
懐かしKoyo Yamamori
 

More Related Content

What's hot

What is in store for e-discovery in 2015?
What is in store for e-discovery in 2015?What is in store for e-discovery in 2015?
What is in store for e-discovery in 2015?Logikcull.com
 
NumaanHuq_Hackfest2015
NumaanHuq_Hackfest2015NumaanHuq_Hackfest2015
NumaanHuq_Hackfest2015Numaan Huq
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...Casey Ellis
 
Identifying Your Agency's Vulnerabilities
Identifying Your Agency's Vulnerabilities Identifying Your Agency's Vulnerabilities
Identifying Your Agency's Vulnerabilities Emily2014
 
How Do You Create A Successful Information Security Program Hire A Great Iso!!
How Do You Create A Successful Information Security Program Hire A Great Iso!!How Do You Create A Successful Information Security Program Hire A Great Iso!!
How Do You Create A Successful Information Security Program Hire A Great Iso!!Tammy Clark
 
Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidancePrivacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidanceAmy Purcell
 
Managing and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesManaging and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesIISPEastMids
 
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & InsuranceCybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & InsuranceSecureDocs
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants- Mark - Fullbright
 
Gdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulationGdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulationJames Mulhern
 
Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response PlanNext Dimension Inc.
 
The internet as a corporate security resource
The internet as a corporate security resourceThe internet as a corporate security resource
The internet as a corporate security resourceDan Michaluk
 
Protecting Your Business From Cyber Risks
Protecting Your Business From Cyber RisksProtecting Your Business From Cyber Risks
Protecting Your Business From Cyber RisksThis account is closed
 
What is Information Security and why you should care ...
What is Information Security and why you should care ...What is Information Security and why you should care ...
What is Information Security and why you should care ...James Mulhern
 
Cyber Insurance CLE
Cyber Insurance CLE Cyber Insurance CLE
Cyber Insurance CLE Sarah Stogner
 
Social media – issues and trends caus 2014
Social media – issues and trends caus 2014Social media – issues and trends caus 2014
Social media – issues and trends caus 2014Dan Michaluk
 
74 x9019 bea legal slides short form ged12.12.16
74 x9019 bea legal slides short form ged12.12.1674 x9019 bea legal slides short form ged12.12.16
74 x9019 bea legal slides short form ged12.12.16Glenn E. Davis
 
GDPR: Data Breach Notification and Communications
GDPR: Data Breach Notification and CommunicationsGDPR: Data Breach Notification and Communications
GDPR: Data Breach Notification and CommunicationsCharlie Pownall
 

What's hot (20)

What is in store for e-discovery in 2015?
What is in store for e-discovery in 2015?What is in store for e-discovery in 2015?
What is in store for e-discovery in 2015?
 
NumaanHuq_Hackfest2015
NumaanHuq_Hackfest2015NumaanHuq_Hackfest2015
NumaanHuq_Hackfest2015
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
 
Identifying Your Agency's Vulnerabilities
Identifying Your Agency's Vulnerabilities Identifying Your Agency's Vulnerabilities
Identifying Your Agency's Vulnerabilities
 
How Do You Create A Successful Information Security Program Hire A Great Iso!!
How Do You Create A Successful Information Security Program Hire A Great Iso!!How Do You Create A Successful Information Security Program Hire A Great Iso!!
How Do You Create A Successful Information Security Program Hire A Great Iso!!
 
Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidancePrivacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and Avoidance
 
Managing and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policiesManaging and insuring cyber risk - coverage of insurance policies
Managing and insuring cyber risk - coverage of insurance policies
 
#7 Insurance
#7 Insurance#7 Insurance
#7 Insurance
 
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & InsuranceCybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
Cybersecurity Brief: Understanding Risk, Legal Framework, & Insurance
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants
 
Gdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulationGdpr demystified - making sense of the regulation
Gdpr demystified - making sense of the regulation
 
Siskinds | Incident Response Plan
Siskinds | Incident Response PlanSiskinds | Incident Response Plan
Siskinds | Incident Response Plan
 
The internet as a corporate security resource
The internet as a corporate security resourceThe internet as a corporate security resource
The internet as a corporate security resource
 
Protecting Your Business From Cyber Risks
Protecting Your Business From Cyber RisksProtecting Your Business From Cyber Risks
Protecting Your Business From Cyber Risks
 
What is Information Security and why you should care ...
What is Information Security and why you should care ...What is Information Security and why you should care ...
What is Information Security and why you should care ...
 
Cyber Insurance CLE
Cyber Insurance CLE Cyber Insurance CLE
Cyber Insurance CLE
 
Social media – issues and trends caus 2014
Social media – issues and trends caus 2014Social media – issues and trends caus 2014
Social media – issues and trends caus 2014
 
74 x9019 bea legal slides short form ged12.12.16
74 x9019 bea legal slides short form ged12.12.1674 x9019 bea legal slides short form ged12.12.16
74 x9019 bea legal slides short form ged12.12.16
 
2_CyberSecurity_2d_ARMA_IG_Panel_7-14-15
2_CyberSecurity_2d_ARMA_IG_Panel_7-14-152_CyberSecurity_2d_ARMA_IG_Panel_7-14-15
2_CyberSecurity_2d_ARMA_IG_Panel_7-14-15
 
GDPR: Data Breach Notification and Communications
GDPR: Data Breach Notification and CommunicationsGDPR: Data Breach Notification and Communications
GDPR: Data Breach Notification and Communications
 

Viewers also liked

Joyce Meyer Ministries Informational Packet
Joyce Meyer Ministries Informational PacketJoyce Meyer Ministries Informational Packet
Joyce Meyer Ministries Informational PacketRobert Langius
 
The Target Breach - Follow The Money EU
The Target Breach - Follow The Money EUThe Target Breach - Follow The Money EU
The Target Breach - Follow The Money EUResilient Systems
 
Presentatie mediasharing #mk12
Presentatie mediasharing #mk12Presentatie mediasharing #mk12
Presentatie mediasharing #mk12marketingdag2012
 
EU Cyber Attacks And The Incident Response Imperative
EU Cyber Attacks And The Incident Response ImperativeEU Cyber Attacks And The Incident Response Imperative
EU Cyber Attacks And The Incident Response ImperativeResilient Systems
 
How To Stop Target-Like Breaches In Their Tracks
How To Stop Target-Like Breaches In Their TracksHow To Stop Target-Like Breaches In Their Tracks
How To Stop Target-Like Breaches In Their TracksResilient Systems
 
Applicant/Candidate Resume Guideline
Applicant/Candidate Resume GuidelineApplicant/Candidate Resume Guideline
Applicant/Candidate Resume GuidelineDenni Domingo
 
Brochure - womens leadership programme
Brochure - womens leadership programmeBrochure - womens leadership programme
Brochure - womens leadership programmehelenhouman
 
Treat a Breach Like a Customer, Not a Compliance Issue
Treat a Breach Like a Customer, Not a Compliance IssueTreat a Breach Like a Customer, Not a Compliance Issue
Treat a Breach Like a Customer, Not a Compliance IssueResilient Systems
 
Enterprise software needs a PaaS
Enterprise software needs a PaaSEnterprise software needs a PaaS
Enterprise software needs a PaaShmalphettes
 
Your Wedding---Bridesmaid dresses on Vponsale
Your Wedding---Bridesmaid dresses on VponsaleYour Wedding---Bridesmaid dresses on Vponsale
Your Wedding---Bridesmaid dresses on Vponsalebejamin9
 

Viewers also liked (17)

Joyce Meyer Ministries Informational Packet
Joyce Meyer Ministries Informational PacketJoyce Meyer Ministries Informational Packet
Joyce Meyer Ministries Informational Packet
 
懐かし
懐かし懐かし
懐かし
 
Twitter #mk12
Twitter #mk12Twitter #mk12
Twitter #mk12
 
The Target Breach - Follow The Money EU
The Target Breach - Follow The Money EUThe Target Breach - Follow The Money EU
The Target Breach - Follow The Money EU
 
Proyecto de ingles
Proyecto de inglesProyecto de ingles
Proyecto de ingles
 
Wanted & available
Wanted & availableWanted & available
Wanted & available
 
Presentatie mediasharing #mk12
Presentatie mediasharing #mk12Presentatie mediasharing #mk12
Presentatie mediasharing #mk12
 
How to #Twitter?
How to #Twitter?How to #Twitter?
How to #Twitter?
 
EU Cyber Attacks And The Incident Response Imperative
EU Cyber Attacks And The Incident Response ImperativeEU Cyber Attacks And The Incident Response Imperative
EU Cyber Attacks And The Incident Response Imperative
 
How To Stop Target-Like Breaches In Their Tracks
How To Stop Target-Like Breaches In Their TracksHow To Stop Target-Like Breaches In Their Tracks
How To Stop Target-Like Breaches In Their Tracks
 
Applicant/Candidate Resume Guideline
Applicant/Candidate Resume GuidelineApplicant/Candidate Resume Guideline
Applicant/Candidate Resume Guideline
 
Riders app
Riders appRiders app
Riders app
 
Brochure - womens leadership programme
Brochure - womens leadership programmeBrochure - womens leadership programme
Brochure - womens leadership programme
 
Treat a Breach Like a Customer, Not a Compliance Issue
Treat a Breach Like a Customer, Not a Compliance IssueTreat a Breach Like a Customer, Not a Compliance Issue
Treat a Breach Like a Customer, Not a Compliance Issue
 
What is Marketing?
What is Marketing?What is Marketing?
What is Marketing?
 
Enterprise software needs a PaaS
Enterprise software needs a PaaSEnterprise software needs a PaaS
Enterprise software needs a PaaS
 
Your Wedding---Bridesmaid dresses on Vponsale
Your Wedding---Bridesmaid dresses on VponsaleYour Wedding---Bridesmaid dresses on Vponsale
Your Wedding---Bridesmaid dresses on Vponsale
 

Similar to Deconstructing Data Breach Cost

3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence
3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence
3rd Party Risk: Practical Considerations for Privacy & Security Due DiligenceResilient Systems
 
Data Breach Response is a Team Sport
Data Breach Response is a Team SportData Breach Response is a Team Sport
Data Breach Response is a Team SportQuarles & Brady
 
Data Breach In The Hospitality Industry
Data Breach In The Hospitality IndustryData Breach In The Hospitality Industry
Data Breach In The Hospitality IndustryClarknuber
 
Shaping the Future of Trusted Digital Identity
Shaping the Future of Trusted Digital IdentityShaping the Future of Trusted Digital Identity
Shaping the Future of Trusted Digital IdentityNoreen Whysel
 
David doughty presentation 181119
David doughty presentation 181119David doughty presentation 181119
David doughty presentation 181119David Doughty
 
A Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data BreachA Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data BreachJim Brashear
 
BSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessBSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessJoel Cardella
 
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015Joe Bartolo
 
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...AIIM International
 
Office 365 : Data leakage control, privacy, compliance and regulations in the...
Office 365 : Data leakage control, privacy, compliance and regulations in the...Office 365 : Data leakage control, privacy, compliance and regulations in the...
Office 365 : Data leakage control, privacy, compliance and regulations in the...Edge Pereira
 
Anatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The UglyAnatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The UglyResilient Systems
 
2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...David Cunningham
 
Enabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest KeynoteEnabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest KeynoteGlobus
 
Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015Lawley Insurance
 
Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a bytelgcdcpas
 
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...Financial Poise
 
Data protection: Steps Organisations can take to ensure compliance
Data protection: Steps Organisations can take to ensure complianceData protection: Steps Organisations can take to ensure compliance
Data protection: Steps Organisations can take to ensure complianceEquiGov Institute
 
2019 06-19 convince customerspartnersboard gdpr-compliant
2019 06-19 convince customerspartnersboard gdpr-compliant2019 06-19 convince customerspartnersboard gdpr-compliant
2019 06-19 convince customerspartnersboard gdpr-compliantTrustArc
 
Digital Forensics 101 – How is it used to protect an Organization’s Data?
Digital Forensics 101 – How is it used to protect an Organization’s Data?Digital Forensics 101 – How is it used to protect an Organization’s Data?
Digital Forensics 101 – How is it used to protect an Organization’s Data?PECB
 
DAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) DataDAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) DataDATAVERSITY
 

Similar to Deconstructing Data Breach Cost (20)

3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence
3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence
3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence
 
Data Breach Response is a Team Sport
Data Breach Response is a Team SportData Breach Response is a Team Sport
Data Breach Response is a Team Sport
 
Data Breach In The Hospitality Industry
Data Breach In The Hospitality IndustryData Breach In The Hospitality Industry
Data Breach In The Hospitality Industry
 
Shaping the Future of Trusted Digital Identity
Shaping the Future of Trusted Digital IdentityShaping the Future of Trusted Digital Identity
Shaping the Future of Trusted Digital Identity
 
David doughty presentation 181119
David doughty presentation 181119David doughty presentation 181119
David doughty presentation 181119
 
A Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data BreachA Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data Breach
 
BSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessBSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing business
 
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
 
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
 
Office 365 : Data leakage control, privacy, compliance and regulations in the...
Office 365 : Data leakage control, privacy, compliance and regulations in the...Office 365 : Data leakage control, privacy, compliance and regulations in the...
Office 365 : Data leakage control, privacy, compliance and regulations in the...
 
Anatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The UglyAnatomy Of A Breach: The Good, The Bad & The Ugly
Anatomy Of A Breach: The Good, The Bad & The Ugly
 
2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...2011 hildebrandt institute cio forum data privacy and security presentation...
2011 hildebrandt institute cio forum data privacy and security presentation...
 
Enabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest KeynoteEnabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest Keynote
 
Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015
 
Don't let them take a byte
Don't let them take a byteDon't let them take a byte
Don't let them take a byte
 
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
 
Data protection: Steps Organisations can take to ensure compliance
Data protection: Steps Organisations can take to ensure complianceData protection: Steps Organisations can take to ensure compliance
Data protection: Steps Organisations can take to ensure compliance
 
2019 06-19 convince customerspartnersboard gdpr-compliant
2019 06-19 convince customerspartnersboard gdpr-compliant2019 06-19 convince customerspartnersboard gdpr-compliant
2019 06-19 convince customerspartnersboard gdpr-compliant
 
Digital Forensics 101 – How is it used to protect an Organization’s Data?
Digital Forensics 101 – How is it used to protect an Organization’s Data?Digital Forensics 101 – How is it used to protect an Organization’s Data?
Digital Forensics 101 – How is it used to protect an Organization’s Data?
 
DAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) DataDAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) Data
 

More from Resilient Systems

You've Been Breached: How To Mitigate The Incident
You've Been Breached: How To Mitigate The IncidentYou've Been Breached: How To Mitigate The Incident
You've Been Breached: How To Mitigate The IncidentResilient Systems
 
Data Breach Crisis Control – How to Communicate When You’re in the Hot Seat
Data Breach Crisis Control – How to Communicate When You’re in the Hot SeatData Breach Crisis Control – How to Communicate When You’re in the Hot Seat
Data Breach Crisis Control – How to Communicate When You’re in the Hot SeatResilient Systems
 
Co3's Annual Review & Predictions Webinar
Co3's Annual Review & Predictions WebinarCo3's Annual Review & Predictions Webinar
Co3's Annual Review & Predictions WebinarResilient Systems
 
By Popular Demand: Co3's Latest and Greatest Features
By Popular Demand: Co3's Latest and Greatest Features By Popular Demand: Co3's Latest and Greatest Features
By Popular Demand: Co3's Latest and Greatest Features Resilient Systems
 
Are We Breached How to Effectively Assess and Manage Incidents
Are We Breached How to Effectively Assess and Manage Incidents Are We Breached How to Effectively Assess and Manage Incidents
Are We Breached How to Effectively Assess and Manage Incidents Resilient Systems
 
Ready or Not, Here They Come Preparing For Phase 2 HIPAA Compliance Audits
Ready or Not, Here They Come Preparing For Phase 2 HIPAA Compliance Audits Ready or Not, Here They Come Preparing For Phase 2 HIPAA Compliance Audits
Ready or Not, Here They Come Preparing For Phase 2 HIPAA Compliance Audits Resilient Systems
 
Encryption: Who, What, When, Where, and Why It's Not a Panacea
Encryption: Who, What, When, Where, and Why It's Not a PanaceaEncryption: Who, What, When, Where, and Why It's Not a Panacea
Encryption: Who, What, When, Where, and Why It's Not a PanaceaResilient Systems
 
How To Build An Incident Response Function
How To Build An Incident Response FunctionHow To Build An Incident Response Function
How To Build An Incident Response FunctionResilient Systems
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItResilient Systems
 
Incident Response: How To Prepare
Incident Response: How To PrepareIncident Response: How To Prepare
Incident Response: How To PrepareResilient Systems
 
5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response Plan5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response PlanResilient Systems
 
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat IntelligenceHow To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat IntelligenceResilient Systems
 
New CISO - The First 90 Days
New CISO - The First 90 DaysNew CISO - The First 90 Days
New CISO - The First 90 DaysResilient Systems
 
The Target Breach – Follow The Money
The Target Breach – Follow The MoneyThe Target Breach – Follow The Money
The Target Breach – Follow The MoneyResilient Systems
 
A Breach Carol: 2013 Review, 2014 Predictions
A Breach Carol: 2013 Review, 2014 PredictionsA Breach Carol: 2013 Review, 2014 Predictions
A Breach Carol: 2013 Review, 2014 PredictionsResilient Systems
 
Incident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It RightIncident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It RightResilient Systems
 
You're Breached: Information Risk Analysis for Today's Threat Landscape
You're Breached: Information Risk Analysis for Today's Threat LandscapeYou're Breached: Information Risk Analysis for Today's Threat Landscape
You're Breached: Information Risk Analysis for Today's Threat LandscapeResilient Systems
 
How to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramHow to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramResilient Systems
 
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat IntelligenceHow To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat IntelligenceResilient Systems
 
Deeper Security, Broader Privacy - how firms use the latest Co3 features to a...
Deeper Security, Broader Privacy - how firms use the latest Co3 features to a...Deeper Security, Broader Privacy - how firms use the latest Co3 features to a...
Deeper Security, Broader Privacy - how firms use the latest Co3 features to a...Resilient Systems
 

More from Resilient Systems (20)

You've Been Breached: How To Mitigate The Incident
You've Been Breached: How To Mitigate The IncidentYou've Been Breached: How To Mitigate The Incident
You've Been Breached: How To Mitigate The Incident
 
Data Breach Crisis Control – How to Communicate When You’re in the Hot Seat
Data Breach Crisis Control – How to Communicate When You’re in the Hot SeatData Breach Crisis Control – How to Communicate When You’re in the Hot Seat
Data Breach Crisis Control – How to Communicate When You’re in the Hot Seat
 
Co3's Annual Review & Predictions Webinar
Co3's Annual Review & Predictions WebinarCo3's Annual Review & Predictions Webinar
Co3's Annual Review & Predictions Webinar
 
By Popular Demand: Co3's Latest and Greatest Features
By Popular Demand: Co3's Latest and Greatest Features By Popular Demand: Co3's Latest and Greatest Features
By Popular Demand: Co3's Latest and Greatest Features
 
Are We Breached How to Effectively Assess and Manage Incidents
Are We Breached How to Effectively Assess and Manage Incidents Are We Breached How to Effectively Assess and Manage Incidents
Are We Breached How to Effectively Assess and Manage Incidents
 
Ready or Not, Here They Come Preparing For Phase 2 HIPAA Compliance Audits
Ready or Not, Here They Come Preparing For Phase 2 HIPAA Compliance Audits Ready or Not, Here They Come Preparing For Phase 2 HIPAA Compliance Audits
Ready or Not, Here They Come Preparing For Phase 2 HIPAA Compliance Audits
 
Encryption: Who, What, When, Where, and Why It's Not a Panacea
Encryption: Who, What, When, Where, and Why It's Not a PanaceaEncryption: Who, What, When, Where, and Why It's Not a Panacea
Encryption: Who, What, When, Where, and Why It's Not a Panacea
 
How To Build An Incident Response Function
How To Build An Incident Response FunctionHow To Build An Incident Response Function
How To Build An Incident Response Function
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About It
 
Incident Response: How To Prepare
Incident Response: How To PrepareIncident Response: How To Prepare
Incident Response: How To Prepare
 
5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response Plan5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response Plan
 
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat IntelligenceHow To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat Intelligence
 
New CISO - The First 90 Days
New CISO - The First 90 DaysNew CISO - The First 90 Days
New CISO - The First 90 Days
 
The Target Breach – Follow The Money
The Target Breach – Follow The MoneyThe Target Breach – Follow The Money
The Target Breach – Follow The Money
 
A Breach Carol: 2013 Review, 2014 Predictions
A Breach Carol: 2013 Review, 2014 PredictionsA Breach Carol: 2013 Review, 2014 Predictions
A Breach Carol: 2013 Review, 2014 Predictions
 
Incident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It RightIncident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It Right
 
You're Breached: Information Risk Analysis for Today's Threat Landscape
You're Breached: Information Risk Analysis for Today's Threat LandscapeYou're Breached: Information Risk Analysis for Today's Threat Landscape
You're Breached: Information Risk Analysis for Today's Threat Landscape
 
How to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramHow to Build a Successful Incident Response Program
How to Build a Successful Incident Response Program
 
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat IntelligenceHow To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat Intelligence
 
Deeper Security, Broader Privacy - how firms use the latest Co3 features to a...
Deeper Security, Broader Privacy - how firms use the latest Co3 features to a...Deeper Security, Broader Privacy - how firms use the latest Co3 features to a...
Deeper Security, Broader Privacy - how firms use the latest Co3 features to a...
 

Recently uploaded

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 

Deconstructing Data Breach Cost

  • 2. Agenda • Introductions • Deconstructing the cost of a data breach: • Data breaches can involve many types of data. • Data breaches can involve many types of costs. • The costs of a data breach can range from zero to more than $170 million. • Q&A Page 2
  • 3. Introductions: Today’s Speakers • Ted Julian, Chief Marketing Officer, Co3 Systems • Security / compliance entrepreneur • Security industry analyst • Patrick Florer, Co-Founder & CTO, Risk Centric Security • Fellow of and Chief Research Analyst at the Ponemon Institute. • 32 years of IT experience, including roles in IT operations, development, and systems analysis • 17 years in parallel working in medical outcomes research, analysis, and the creation of evidence-based guidelines for medical treatment Page 3
  • 4. Co3 Automates Breach Management PREPARE ASSESS Improve Organizational Quantify Potential Impact, Readiness Support Privacy Impact • Assign response team Assessments • Describe environment • Track events • Simulate events and incidents • Scope regulatory requirements • Focus on organizational gaps • See $ exposure • Send notice to team • Generate Impact Assessments REPORT MANAGE Document Results and Easily Generate Detailed Track Performance Incident Response Plans • Document incident results • Escalate to complete IR plan • Track historical performance • Oversee the complete plan • Demonstrate organizational • Assign tasks: who/what/when preparedness • Notify regulators and clients • Generate audit/compliance reports • Monitor progress to completion Page 4
  • 5. About Risk Centric Security • Risk Centric Security offers state of the art SaaS tools and training that empower Information Security Professionals to perform credible, defensible, and reproducible risk and decision analyses, and to articulate the results and relevance of these analyses in language that business counterparts will understand. • Risk Centric Security was founded by two Information Technology and Information Security veterans who have more than forty years of combined experience providing solutions to complex problems for smaller companies as well as for companies in the Fortune 1000. Risk Centric Security, Inc. www.riskcentricsecurity.com Authorized reseller of ModelRisk from Vose Software Page 5
  • 6. What is a data breach?  Data Breach: • A data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property. • The law is evolving – basically a breach is an unauthorized use of a computer system. • Many prosecutions take place under provisions of the Computer Fraud and Abuse Act (CFAA). • Data breaches can also happen by accident or error. Page 6
  • 7. What is a data breach? Data Breach: • Is the concept of a breach too narrow to describe many types of events? • Do we need different words and concepts? -A single event at a single point in time? -What about an attack that exfiltrates data over a long period of time? Page 7
  • 8. What kinds of data might be exposed? • Operational Data • Intellectual Property • Financial Information • Personally Identifiable Information (PII) • Protected Health Information (PHI) Page 8
  • 9. What kinds of data might be exposed? Personally Identifiable Information (PII): • The U.S. government used the term "personally identifiable" in 2007 in a memorandum from the Executive Office of the President, Office of Management and Budget (OMB, and that usage now appears in US standards such as the NIST Guide to Protecting the Confidentiality of Personally Identifiable Information (SP 800-122). The OMB memorandum defines PII as follows: • Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc. Page 9
  • 10. What data aren’t PII? • Data that identify a person that are not considered protected: • Name • Address • Phone number • Email address – things are changing with regard to e-mail addresses • Facebook name • Twitter handle Page 10
  • 11. Is it PII or not?  Personally Identifiable Information (PII): • According to the OMB, it is not always the case that PII is "sensitive", and context may be taken into account in deciding whether certain PII is or is not sensitive. • Geo-location data? • Was the Epsilon breach a “breach”? • Have there been other “non-breach” breaches? • Given the powerful correlations that can be made, are these definitions too narrow? Page 11
  • 12. What kinds of data might be exposed? Protected Health Information (PHI): Protected health information (PHI), under the US Health Insurance Portability and Accountability Act (HIPAA), is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. This is interpreted rather broadly and includes any part of a patient’s medical record or payment history. Page 12
  • 13. POLL
  • 14. What costs are we going to discuss? • Direct and Indirect Costs? • Primary and Secondary Costs? • Costs that we should be able to discover and/or estimate. • Costs that might be difficult to discover and/or estimate. Page 14
  • 15. What costs are we going to discuss? Costs that we should be able to discover and/or estimate: • Lost productivity • Incident response and forensics costs • Costs of replacing lost or damaged hardware, software, or information • Public relations costs • Legal costs • Costs of sending letters to notify customers and business partners • Costs of providing credit monitoring • Fines from governmental action (HIPAA/HITECH, FTC, State Attorneys General, etc.) Page 15
  • 16. What costs are we going to discuss? Costs that we should be able to discover and/or estimate: • Fines and indemnifications imposed by contracts with business partners • Contractual fines and penalties resulting from PCI DSS related incidents - either data loss or compliance failure • Judgments and legal settlements - customers, business partners, shareholders • Additional compliance and audit costs related to legal settlements (20 years of additional reporting, for example) Page 16
  • 17. What costs are we going to discuss? Costs that might be difficult to discover and/or estimate: • Loss of competitive advantage • Loss of shareholder value • Reputation loss • Opportunity and Sales losses from customers and business partners who went elsewhere • Value of intellectual property Page 17
  • 18. Whose costs are we going to discuss? • Breached entity? • Shareholders? • Citizens / the public at large? • Card brands? • Issuing banks? • Customers? • Business partners? • Consumers? • Taxpayers (law enforcement costs)? Page 18
  • 19. How do we measure and estimate costs? • Fixed / Overall Costs  Per record costs • Direct/Primary • Indirect/Secondary • Variable costs that scale with magnitude of breach Page 19
  • 20. Sources of Data How do we know about data breaches? • Victim notifications • News media • Securities and Exchange Commission (SEC) filings • Department of Justice (DOJ) indictments • HIPAA/HITECH Office of Civil Rights (OCR) actions • FTC actions • Press releases Disclosure laws • HIPAA/HITECH • State breach laws • New SEC Guidance re “material” impact Page 20
  • 21. Sources of Data Research projects: • Datalossdb.org (www.datalossdb.org) • Identity Theft Resource Center (www.idtheftcenter.org) • Office of Inadequate Security (www.databreaches.net) Published reports: • Cisco • Mandiant • Ponemon Institute • Sophos • Symantec • Verizon Business DBIR • X-Force (IBM) Page 21
  • 22. Sources of Data Non-public sources: • Forensics Investigators • Card Brands • Payment Processors • Subscription services • Data sharing consortia – Information Sharing and Analysis Centers (ISAC’s) • Government Intelligence agencies • Word of mouth and anecdotal evidence Page 22
  • 23. Some Estimates of Cost Ponemon Institute 2011 Cost of Data Breach Study: United States • 49 Companies surveyed – multiple people per company. • Breach sizes ranged from 5K – 100K exposed records. • Participants estimated the minimum and maximum amounts for a number of costs, from which the mid-point value was selected. • According to some legal experts, Ponemon Institute numbers are the “gold” standard in the Federal Courts. • The raw data are published in the report appendix. Page 23
  • 24. POLL
  • 25. Some Estimates of Cost: Ponemon Institute In the 2011 report: • Overall weighted average per record = $194 (down from $214 in 2010) • Overall average total = $5.5 M (down from $7.2M in 2011) Page 25
  • 26. Some Estimates of Cost: Ponemon Institute Page 26
  • 27. Some Estimates of Cost: Ponemon Institute Page 27
  • 28. Some Estimates of Cost: Larger Breaches DSW Shoes (2005): • 1.4 million records / $6.5M – $9.5M (press releases) • Cost per record = $4.64 – $6.79 Page 28
  • 29. Some Estimates of Cost: Larger Breaches TJX (Dec, 2007): • 90 million records / $171M – $191M (SEC filings) • Accelerated CapEx = $250M (rumored) • Cost per record = $1.90 – $2.12 Page 29
  • 30. Some Estimates of Cost: Larger Breaches Heartland Payment Systems (Dec, 2009): • 130 million records / $114 -$117M, after $31.2M recovery from insurance (SEC filings) • Cost per record = ~$0.90 Page 30
  • 31. Some Estimates of Cost: Larger Breaches Sony (Mar, 2011): • 100 million records / $171M (Sony press release) • Cost per record = $1.71 Page 31
  • 32. Some Estimates of Cost: Larger Breaches Global Payments (June, 2011): • 1.5 - 7 million records / $84.4M in 2012, $55 - $65M in 2013 (SEC filings) • Up to $30M recovered through insurance (SEC filings) • Total cost estimated to be $110M - $120M • Cost per record = $15.71 - $80 Page 32
  • 33. Some Estimates of Cost: Larger Breaches South Carolina Department of Revenue (October, 2012), as of 11/08/2012: • 3.8M individual tax returns exposed – up from 3.6M • 657,000 business returns exposed • Two pronged attack – phish and malware • Data were not encrypted – Governor of SC stated it was best practice not to encrypt • Outside forensics and legal have been retained • Total cost estimated to be $12M - $18M • Cost per record = $3 - 5 Page 33
  • 34. Some Estimates of Cost: Correlations • Measured on a per record basis, the cost per record declines as the size of the breach increases • Measured on a total cost basis, the total cost increases as the number of exposed records increases • Both of these correlations are weak Page 34
  • 35. Some Estimates of Cost: Ponemon Correlations Page 35
  • 36. Some Estimates of Cost: Ponemon Correlations Page 36
  • 37. Some Estimates of Cost: Ponemon + Other Data Correlations Page 37
  • 38. Some Estimates of Cost: Ponemon + Other Data Correlations Page 38
  • 39. Some Estimates of Cost: Ponemon + Other Data Correlations Page 39
  • 40. Some Estimates of Cost: Ponemon + Other Data Correlations Page 40
  • 41. Some Estimates of Cost: Ponemon + Other Data Correlations Page 41
  • 42. Some Estimates of Cost: Ponemon + Other Data Correlations Normal Copula Correlation: Variable 1 = records, Variable 2 = Total Cost Page 42
  • 43. Some Estimates of Cost: Ponemon + Other Data Correlations Page 43
  • 44. Some Estimates of Cost: Ponemon + Other Data Correlations Page 44
  • 45. Some Estimates of Cost: Ponemon + Other Data Correlations Page 45
  • 46. Some Estimates of Cost: Ponemon + Other Data Correlations Page 46
  • 47. Are There Patterns in the Data? Log10 Frequency of Exposed Records Page 47
  • 48. Are the Patterns in the Data? Beta4 Distribution with Uncertainty Page 48
  • 49. Are there Patterns in the Data? Beta4 Quantile- Quantile (Q-Q) Plot Page 49
  • 50. Are there Patterns in the Data? Levy Distribution – a very poor fit Page 50
  • 51. Are There Patterns in the Data? Future Research Model breach cost by size of breach, using a scale that is logarithmic (mostly): • <5K records • 5K – 100K records • 100K – 1M records • 1M – 10M records • 10M – 100M records • >100M records Page 51
  • 52. Wrap-up • We have covered many topics today. To summarize: • Breaches can involve many types of data: • To date, most reported breaches deal with PII, PHI, and credit card data. • For many of these breaches, the number of records exposed is not reported, often because the number is unknown. • Intellectual property breaches are seldom reported, possibly because they are so difficult to detect. Page 52
  • 53. Wrap-up • Breaches involve many types of costs: • In the largest credit card breaches, the majority of costs are due to settlements with the card brands. • A PHI breach may result in fines that seem disproportionate to the number of records exposed. • Per-record metrics are appropriate for some types of breaches (PII, PHI, CCard), but not others (IP). • Brand damage and loss of stock value are difficult to measure, and, in some cases, do not appear to exist. Page 53
  • 54. Wrap-up • The costs of a data breach can range from nothing to over $170 million. • Breaches that are never detected cost nothing – nothing that can be measured, at least. • Per the numbers from the 2011 Ponemon Institute Cost of Breach study, there is a wide variation in total breach cost: from $500K to over $20 million. • For breaches that expose more than 1 million records, the reported costs per record vary greatly, ranging from as little as $0.90 (HPS) per record to as much as $80 per record (GP). Page 54
  • 55. Wrap-up • There may be patterns in the data that can help us predict the cost of a breach, should it happen to us: • The numbers of records exposed in reported breaches appear to follow a lognormal distribution. • Although the correlations are not strong, total costs increase and per-record costs decrease as the number of exposed records increases. • As breach size increases, some costs appear to scale more than others: forensics = less, notifications = more, credit monitoring = more, fines & judgments = more, customer loss = unknown Page 55
  • 57. “Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.” PC MAGAZINE, EDITOR’S CHOICE One Alewife Center, Suite 450 “Co3…defines what software packages Cambridge, MA 02140 for privacy look like.” PHONE 617.206.3900 GARTNER WWW.CO3SYS.COM “Platform is comprehensive, user friendly, and very well designed.” PONEMON INSTITUTE Patrick Florer Co-Founder & CTO Risk Centric Security, Inc. 214-828-1172 patrick@riskcentricsecurity.com www.riskcentricsecurity.com
  • 59. What kinds of data might be exposed? Operational Data: • Unpublished phone numbers • Private email addresses • HR data about employees • Passwords and login credentials • Certificates • Encryption keys • Tokenization data • Network and infrastructure data Page 59
  • 60. What kinds of data might be exposed? Intellectual Property: • Company confidential information • Financial information • Merger, acquisition, divestiture, marketing, and other plans • Product designs, plans, formulas, recipes Page 60
  • 61. What kinds of data might be exposed? Financial information: • Credit / debit card data • Bank account and transit routing data • Financial trading account data • ACH credentials and data Page 61
  • 62. What is PII in the European Union? Personally Identifiable Information (PII): • A term similar to PII, "personal data" is defined in EU directive 95/46/EC, for the purposes of the directive:[4] Article 2a: 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity; from wikipedia.com Page 62
  • 63. What is Protected Health Information (PHI)? • PHI that is linked based on the following list of 18 identifiers must be treated with special care according to HIPAA: • Names • All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000 • Dates (other than year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older • Phone numbers Page 63
  • 64. What is Protected Health Information (PHI)?  Protected Health Information (PHI): • Fax numbers • Electronic mail addresses • Social Security numbers • Medical record numbers • Health plan beneficiary numbers • Account numbers • Certificate/license numbers • Vehicle identifiers and serial numbers, including license plate numbers; • Device identifiers and serial numbers; • Web Uniform Resource Locators (URLs) • Internet Protocol (IP) address numbers • Biometric identifiers, including finger, retinal and voice prints • Full face photographic images and any comparable images • Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data) Page 64
  • 65. How do we estimate costs – Intellectual Property How to value? • Fair Market Value • Cost to Create • Historical Value Methodologies: • Cost Approach: Reproduction or Replacement • Market Approach • Income Approach • Relief from Royalty Approach • Technology Factor Page 65