Adding Up the Costs of Data Breaches

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://dealbook.nytimes.com/2014/01/28/adding-up-the-costs-of-data-breaches/

There seems to be an announcement almost weekly that a retailer has been
the victim of a cyberattack in which consumer information has been stolen.
Has this become the next wave of 21st century white-collar crime as the
world of electronic credit and payments opens up companies to more and more
thefts of financial information?

The latest disclosure of a possible security breach comes from Michaels
Stores, which said it was looking into possible fraudulent activity
involving its stores but had not yet confirmed any misuse of customer
financial information. As hackers' sophistication increases, companies have
a harder time even detecting whether computer systems have been attacked
and the extent of any security breach.

Unlike many types of white-collar crime that affect only individual
companies and markets, a broad swath of society is at risk when hackers
obtain personal financial information. As The New York Times reported,
Target was particularly vulnerable to having its system invaded by hackers,
who may have exposed credit and debit card information on up to 40 million
customers.

Companies that have been attacked are still trying to figure out how
quickly to disclose a security breach.
Neiman Marcus, for example, sent a letter to Senator Richard Blumenthal of
Connecticut, who had questioned the retailer's failure to promptly notify
customers. It gave a timeline of how it was hacked by the same computer
program that attacked Target and said it had received information shortly
before Christmas about a possible problem with credit cards used at its
stores. A report on New Year's Day confirmed that its computer system had
been breached, but the company did not make any public announcement until
Jan. 10.

On the other hand, Michaels Stores disclosed the potential breach even
before it confirmed that financial information had been obtained. In a
letter to customers, the company said it had "recently learned of possible
fraudulent activity on some U.S. payment cards that had been used at
Michaels, suggesting we may have experienced a data security attack."

There is pressure on a company whose information has been stolen to keep
quiet and delay disclosures to customers and shareholders. From a law
enforcement perspective, keeping a security breach confidential may help
criminal investigators track down who received the information and how they
might be selling it. A public announcement of a cyberattack puts the
perpetrators on notice to tread more carefully in how they might use
customer financial information.

The challenge is not finding a crime to prosecute. It is locating the
perpetrators and bringing them to the United States to face charges. The
malware used to infiltrate computer systems at Target and Neiman Marcus
reportedly originated in Russia, and the stolen information has been passed
around Eastern Europe. That means that most of those involved in the
hacking are beyond the reach of American authorities.

There are plenty of criminal laws on the books that can be used to
prosecute cybercrime. Federal statutes make it a crime to access a computer
to fraudulently obtain information (18 U.S.C. § 1030(a)(4), and to use "a
means of identification of another person," including by selling or trading
stolen personal financial information (18 U.S.C. § 1028A).

Unlike other types of white-collar crimes, in which defendants often claim
they did not believe their conduct constituted a violation, cybercriminals
know exactly what they are doing and why. (While technologically
sophisticated, they are still just thieves.) So these cases present a
different challenge for prosecutors, who often need secrecy to track down
those behind the cyberattacks.

But the need for a company victimized by hacking to disclose information
can be just as great, especially when personal financial information is
involved. Although credit card holders are not subject to significant
losses if they promptly report fraudulent transactions, that is cold
comfort when trying to figure out whether fraudulent charges have been made.

If a credit card account is misused, the cardholder has to spend time
straightening out unauthorized transactions and dealing with the issuance
of new cards. Even more dangerous is the potential for identity theft,
which could result in substantial disruptions to an individual's financial
life that can take months to fully rectify.

For publicly traded companies like Target and Neiman Marcus, there is an
additional obligation to disclose material information to shareholders in a
timely manner. For any retailer, a cyberattack may drive customers away and
affect income through increased expenses for stronger computer security,
providing identity theft protection to affected customers and refunding of
any fraudulent charges.

The potential effect on the bottom line could be significant, and something
every shareholder is likely to want to learn about sooner rather than
later. Yet neither Target nor Neiman Marcus has submitted a filing with the
Securities and Exchange Commission giving an estimate of the potential
costs of the hacking they experienced, leaving shareholders in the dark
about the effect of these episodes.

Companies that have so far avoided the hacking afflicting retailers must be
aware of the potential that their computer systems are vulnerable to a
cyberattack. At the recent World Economic Forum in Davos, Switzerland, the
chief executive of Western Union pointed out that dealing with hackers had
become a "street fight."

Hackers are getting more sophisticated, which means the costs to fight them
will grow as companies address the type of porous security that got Target
into so much trouble. Shareholders are likely to hear more about how
companies are trying to protect themselves and the rising cost of doing so.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!