Deconstructing the cost of a data breach

Risk Centric Security, Inc.
www.riskcentricsecurity.com
Authorized reseller of ModelRisk from Vose Software

Risk Centric Security, Inc. Confidential and Proprietary . Risk Analysis for the 21st Century®
Copyright © 2012 Risk Centric Security, Inc . All rights reserved.

Patrick Florer has worked in information technology for
32 years. In addition, he worked a parallel track in
medical outcomes research, analysis, and the creation of
evidence-based guidelines for medical treatment. His
roles have included IT operations, programming, and
systems analysis. From 1986 until now, he has worked as
an independent consultant, helping customers with
strategic development, analytics, risk analysis, and
decision analysis. He is a cofounder of Risk Centric
Security and currently serves as Chief Technology Officer.

Risk Centric Security, Inc. Confidential and Proprietary .

What is a breach?
What are data?
What kinds of costs are we talking about?
Whose costs are we talking about?
How do we estimate costs / impact?

Risk Centric Security, Inc. Confidential and Proprietary.

.
breach

1. a. An opening, a tear, or a rupture.
b. A gap or rift, especially in or as if in a solid structure such as
a dike or fortification.
2. A violation or infraction, as of a law, a legal obligation, or a
promise.
3. A breaking up or disruption of friendly relations; an
estrangement.
4. A leap of a whale from the water.
5. The breaking of waves or surf.
The American Heritage® Dictionary of the English Language, Fourth Edition copyright ©2000 by
Houghton Mifflin Company. Updated in 2009. Published by Houghton Mifflin Company. All rights
reserved


.
breach

1. a crack, break, or rupture
2. a breaking, infringement, or violation of a
promise, obligation, etc
3. any severance or separation
4. (Military) a gap in an enemy's fortifications or line of defense
created by bombardment or attack
5. (Life Sciences & Allied Applications / Zoology) the act of a
whale in breaking clear of the water
6. (Earth Sciences / Physical Geography) the breaking of sea
waves on a shore or rock
7. (Medicine / Pathology) an obsolete word for wound1
Collins English Dictionary – Complete and Unabridged © HarperCollins Publishers
1991, 1994, 1998, 2000, 2003
.

.
breach

1. the act or a result of breaking; break or rupture.
2. an infraction or violation, as of a law, trust, faith, or promise.
3. a gap made in a wall, fortification, line of soldiers, etc.; rift;
fissure.
4. a severance of friendly relations.
5. the leap of a whale above the surface of the water.

www.dictionary.com


.
Data Breach:

A data breach is an incident in which sensitive, protected or
confidential data has potentially been viewed, stolen or used by
an individual unauthorized to do so. Data breaches may involve
personal health information (PHI), personally identifiable
information (PII), trade secrets or intellectual property.

The law is evolving – basically a breach is an unauthorized use of a
computer system.

Many prosecutions take place under provisions of the Computer
Fraud and Abuse Act (CFAA)


.
Data Breach:

Is the concept of a breach too narrow to describe many types of
events?

Do we need different words and concepts?

• A single event at a single point in time?

• What about an attack that exfiltrates data over a long period of
time?


Operational Data

Intellectual Property

Financial Information

Personal Information

Personally Identifiable Information (PII)

Protected Health Information (PHI)

Operational Data:

• Unpublished phone numbers
• Private email addresses
• Passwords and login credentials
• Certificates
• Encryption keys
• Tokenization data
• Network and infrastructure data


Intellectual Property:

• Company confidential information
• Financial information
• Merger, acquisition, divestiture, marketing, and
other plans
• Product designs, plans, formulas, recipes
• HR data about employees


Financial Information:

• Credit / debit card data
• Bank account and transit routing data
• Financial trading account data
• ACH credentials and data


Personally Information:

Data that identify a person that are not considered
protected:

• Name
• Address
• Phone number
• Email address
• Facebook name
• Twitter handle


Personally Identifiable Information (PII):

The U.S. government used the term "personally identifiable" in
2007 in a memorandum from the Executive Office of the
President, Office of Management and Budget (OMB),[2] and that
usage now appears in US standards such as the NIST Guide to
Protecting the Confidentiality of Personally Identifiable Information
(SP 800-122).[3] The OMB memorandum defines PII as follows:

• Information which can be used to distinguish or trace an
individual's identity, such as their name, social security
number, biometric records, etc. alone, or when combined with
other personal or identifying information which is linked or
linkable to a specific individual, such as date and place of
birth, mother’s maiden name, etc.

from wikipedia.com


A term similar to PII, "personal data" is defined in EU directive
95/46/EC, for the purposes of the directive:[4]

Article 2a: 'personal data' shall mean any information relating
to an identified or identifiable natural person ('data subject');
an identifiable person is one who can be identified, directly or
indirectly, in particular by reference to an identification
number or to one or more factors specific to his
physical, physiological, mental, economic, cultural or social
identity;

From wikipedia.com:



According to the OMB, it is not always the case that PII is
"sensitive", and context may be taken into account in deciding
whether certain PII is or is not sensitive.

Was the Epsilon breach a “breach”?

Have there been other “non-breach” breaches?

Given the powerful correlations that can be
made, are these definitions too narrow?

Protected Health Information (PHI):

Protected health information (PHI), under the US Health
Insurance Portability and Accountability Act (HIPAA), is any
information about health status, provision of health care, or
payment for health care that can be linked to a specific
individual. This is interpreted rather broadly and includes any
part of a patient’s medical record or payment history.


PHI that is linked based on the following list of 18 identifiers must
be treated with special care according to HIPAA:
• Names
• All geographical subdivisions smaller than a State, including street
address, city, county, precinct, zip code, and their equivalent
geocodes, except for the initial three digits of a zip code, if according to the
current publicly available data from the Bureau of the Census: (1) The
geographic unit formed by combining all zip codes with the same three
initial digits contains more than 20,000 people; and (2) The initial three
digits of a zip code for all such geographic units containing 20,000 or fewer
people is changed to 000
• Dates (other than year) for dates directly related to an individual, including
birth date, admission date, discharge date, date of death; and all ages over
89 and all elements of dates (including year) indicative of such age, except
that such ages and elements may be aggregated into a single category of
age 90 or older
• Phone numbers

• Fax numbers
• Electronic mail addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plate numbers;
• Device identifiers and serial numbers;
• Web Uniform Resource Locators (URLs)
• Internet Protocol (IP) address numbers
• Biometric identifiers, including finger, retinal and voice prints
• Full face photographic images and any comparable images
• Any other unique identifying number, characteristic, or code (note this does
not mean the unique code assigned by the investigator to code the data)

Costs that we should be able to discover and/or
estimate

Costs that might be difficult to discover and/or
estimate


estimate:

• Lost productivity
• Incident response and forensics costs
• Costs of replacing lost or damaged hardware, software, or
information
• Public relations costs
• Legal costs
• Costs of sending letters to notify customers and business
partners
• Costs of providing credit monitoring
• Fines from governmental action (HIPAA/HITECH, FTC, State
Attorneys General, etc.)


estimate:

• Fines and indemnifications imposed by contracts with
business partners

• Contractual fines and penalties resulting from PCI DSS
related incidents - either data loss or compliance failure

• Judgments and legal settlements - customers, business
partners, shareholders

• Additional compliance and audit costs related to legal
settlements (20 years of additional reporting, for example)


Costs that might be difficult to discover and/or estimate:

• Loss of competitive advantage

• Loss of shareholder value

• Reputation loss

• Opportunity and Sales losses from customers and business
partners who went elsewhere

• Value of intellectual property


• Breached entity?
• Shareholders?
• Citizens / the public at large?
• Card brands?
• Issuing banks?
• Customers?
• Business partners?
• Consumers?
• Taxpayers (law enforcement costs)?


Fixed / Overall Costs

Per record costs:
• Direct/Primary

• Indirect/Secondary

• Variable costs that scale with magnitude of breach


How to value?
• Fair Market Value
• Fair Value
• Historical Value

Methodologies:
• Cost Approach
• Market Approach
• Income Approach
• Relief from Royalty Approach
• Technology Factor


How do we know about data breaches?
• Victim notifications
• News media
• Securities and Exchange Commission (SEC) filings
• Department of Justice (DOJ) indictments
• HIPAA/HITECH Office of Civil Rights (OCR) actions
• FTC actions
• Press releases

Disclosure laws
• HIPAA/HITECH
• State breach laws
• New SEC Guidance re “material” impact

Research projects:
• Datalossdb.org (www.datalossdb.org)
• Identity Theft Resource Center (www.idtheftcenter.org)
• Office of Inadequate Security (www.databreaches.net)

Published reports:
• Cisco
• Mandiant
• Ponemon Institute
• Sophos
• Symantec
• Verizon Business DBIR
• X-Force (IBM)


Non-public sources:

• Forensics Investigators
• Card Brands
• Payment Processors
• Subscription services
• Data sharing consortia – Information Sharing and Analysis
Centers (ISAC’s)
• Government Intelligence agencies
• Word of mouth and anecdotal evidence


Thank you !
Patrick Florer
CTO and Co-founder
Risk Centric Security, Inc
patrick@riskcentricsecurity.com Risk Analysis for the 21st Century ®

214.828.1172
Authorized reseller of ModelRisk from Vose Software

To provide feedback on this presentation:
https://www.surveymonkey.com/sourceboston12


Deconstructing the cost of a data breach

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (18)

Similar to Deconstructing the cost of a data breach

Similar to Deconstructing the cost of a data breach (20)

Recently uploaded

Recently uploaded (20)

Deconstructing the cost of a data breach