OPM Hack Raises Questions About Cyber-Attack Liability

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.breitbart.com/big-government/2015/06/16/opm-hack-raises-questions-about-cyber-attack-liability/

There doesn’t seem to be much danger of any high-level government official
being held responsible for the security failures that let Chinese hackers
raid the Office of Personnel Management, potentially compromising the
personal information of millions of past and present government employees.

No one is ever held responsible for failure in government any more; even
the most breathtaking incompetence and abuse lead to zero terminations or
punishment. Congress is beginning to grumble about hearings and subpoenas,
but even those tend to be ignored and subverted in the Obama era.

But what about financial liability? A post at the website of Insurance
Business America notes some consternation in the insurance industry, which
has been laboring to perfect product offerings and business models to deal
with the complex liabilities that can arise from cyber attacks. If the
business of adjusting claims for tornado damage or an auto crash is
complicated, imagine how much more delicate the task becomes when all the
property damaged is virtual, but very real shockwaves can roll through the
victim’s life:

For insurance industry professionals, the breach of the federal government
was not entirely unexpected. However, it helps underline a point that many
proponents of cyber liability insurance and other security policies have
tried to make repeatedly: no one is safe, and public entities and small
private businesses are particularly at risk.

“What this shows is that no one organization can be fully immune to cyber
risk – whether they are a public or private sector body,” said Jack
Elliott-Frey, a broker with SafeOnline LLP. “Public sector bodies often
have smaller budgets than private businesses of the same size, and due to
that are forced to spread it across more sectors of the business.

“Ultimately this means that security spending can take a backseat, and with
public sector bodies such as local governments or healthcare providers,
this can prove to be problematic as they hold plenty of valuable personally
identifiable information.”

The article goes on to observe that health care providers and small
businesses are the most common data breach targets, but are also most
likely to pass on purchasing “cyber insurance” due to its expense. The
insurance industry believes its potential customers overestimate the cost
of coverage, because the per-record cost of a massive breach can stack up
vastly higher than the annual cost of an insurance policy.

The fallout from the OPM hack could change hearts and minds when it comes
to assessing the value of cyber insurance policies, with millions of people
potentially affected. Not only are they at risk of identity theft, but
Insurance Business America touches lightly upon something that will bring
many a sleepless night to intelligence agency heads over the coming months:
those potentially compromised individuals might now be too much of a
security risk to hold sensitive positions, which could be devastating to
their livelihoods and career aspirations.

Even government employees with less sensitive positions could find their
digital profiles corrupted by the mischief of hackers. You can do a lot of
damage to someone’s reputation with the kind of information the Chinese
raiders allegedly stole. (It’s a very interesting aspect of the OPM
disaster that not much appears to have been done with the stolen data yet,
for either fun or profit. What might be coming down the road? What if the
hackers sit on what they’ve taken until the time is right to cause trouble
for millions of victims, all at once?)

The insurance industry may find the OPM hack to offer a “teachable moment”
on the value of cyber insurance – which sounds crass, but there’s nothing
scurrilous about insurance professionals accurately pointing out that
policy coverage is a bargain compared to the damage from a massive data
breach. That’s their job, and companies entrusted with mountains of
priceless information should hope they do it well.

On the other hand, the industry may also learn that the accumulated
financial damage from an attack on the scale of what happened to the Office
of Personnel Management creates a liability avalanche large enough to bury
any underwriter. Is there anyone even capable of calculating a reasonably
accurate dollar value for the data that was stolen from our government? Is
there any way to compute the cost of the havoc that can be wreaked, until
the hackers start wreaking it?

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!