"Groundhog Day" for data breaches

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.lexology.com/library/detail.aspx?g=976cf116-c9ca-497f-93b0-06f07d65bdf4

Here we go again.  A prominent company suffers a data breach.  The company
publicly alerts its customers.  The company almost immediately finds itself
the subject of inquiries from Congress and the target of investigations by
regulators.  Before long, class action lawyers will crank out complaints as
if they're Mad Libs, filling in the name of the company and then running to
the courthouse.  Throughout, the company -- the victim of the breach -- is
treated as if it is guilty until proven innocent, or "negligent until
proven reasonable."  The company faces massive costs and other financial
burdens, as well as reputational damage that could last years.

Sound familiar?  That's because you've seen this movie before.  But this
time it's not about Target, or Neiman Marcus, or Michael's, or any of the
other prominent companies that have experienced this "blame the victim"
culture over the past year.  This time it's about eBay, which announced a
breach last week affecting one of its databases and asked its 145 million
users to change their passwords.  eBay has already started getting letters
from the Hill, is reportedly already under investigation by multiple state
Attorneys General, and is already being attacked in the media.  You can be
sure that the FTC and the class action lawyers are next.  It's like a bad
ripoff of the movie "Groundhog Day."

We'll probably see even more calls on the Hill for stronger enforcement
powers for the already-emboldened FTC and harsher penalties against
companies for failing to report breaches.  We'll see more calls for a
national data breach notification standard which, despite being good for
companies and consumers alike, can't seem to get through Congress.  We'll
see more public comments by lawmakers suggesting that the breach was
somehow the result of a failing by eBay, instead of being the work of
sophisticated hackers, even while an investigation of the incident is still
ongoing.  And we'll probably see SEC and shareholder scrutiny of the
company's prior cybersecurity disclosures, as well as questions about what
executives and the Board knew or should have known about the risks.

A company doesn't have to be the size of Target or eBay to experience this
"Groundhog Day"-like vicious cycle.  Your company may have fewer customers,
but that doesn't make the cycle any less vicious for you.

WHAT YOU CAN DO

Companies do have a way to fight back -- and that's to be proactive.  Doing
a privacy and security assessment in advance of an incident -- overseen by
counsel, and protected by the privilege -- will help in two ways.

First, it will help reduce your risk of a breach by addressing potentially
unanticipated vulnerabilities (such as those arising from vendors and other
third parties).

Second, because you can't eliminate the risk entirely, it will put you in
the best possible position to successfully defend yourself against the
litigation and regulatory investigations that are sure to follow any breach
that does occur.  Doing this kind of assessment in advance -- with the help
of outside counsel and forensics experts -- will make it a lot harder for
anyone -- Congress, regulators, or the courts -- to find that you were
anything but reasonable.

And the best news of all is that it's inexpensive -- especially when
compared to the alternative.  An ounce of prevention is a lot cheaper than
a pound of cure.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!