Professor sheds light on increase in cyber crimes

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://ndsmcobserver.com/2016/02/95346/

John D’Arcy, an associate professor of accounting and management
information systems at the University of Delaware, delivered his
presentation “Data Breach: Failures and Follow-ups” Monday afternoon in the
Mendoza College of Business. The lecture was the first event of Mendoza’s
annual Ethics Week and focused on data breaches.

“We hear about these [data breaches] all the time, and there’s even a term
that’s come up recently, ‘data breach fatigue’ – it comes up so often, it’s
not even a big deal anymore,” D’Arcy said. “Every week, we hear about
another organization that’s high profile that’s been attacked.”

According to D’Arcy, a data breach is an incident in which “sensitive,
protected or confidential data” is accessed by a party without
authorization. This data includes personal health information, personal
identifiable information, trade secrets, intellectual property and personal
financial data, D’Arcy said. There is also a movement to expanding the
definition to include emails, passwords and information specific to
healthcare.

Healthcare is an industry that’s especially vulnerable to cybercriminals,
D’Arcy said.

“Getting this information can be used to make fake insurance accounts —
there’s a lot of money to be made,” he said. “Everything is being digitized
in the health industry, and it’s a gold mine. In general, they’ve been a
little lax in terms of security compared to other industries.”

D’Arcy explained the idea of a “compliance mindset,” which infers that the
minimum required by law is enough protection.

“There’s plenty of laws in the book that require both notification and
adequate level of security, but we’re still seeing more and more breaches,”
he said. “The question is, is the law enough? Just to comply with legal
requirements, is that enough? The obvious answer is no — companies have an
ethical obligation to go beyond the requirements and to really protect its
information.”

Contributing to this “compliance mindset” is the lack of incentive for
companies to “step up” their precautions against data breaches.

“There’s concern for your personal information, but in terms of hardcore
impact, it’s not really affecting companies negatively, from a
shareholder’s perspective,” D’Arcy said. “They have litigation costs and
all these other costs, but in terms of satisfying their shareholders,
they’re not taking much of a hit. There’s not a hard case from a business
standpoint to go above and beyond.”

D’Arcy presented case studies for four major data breaches: ChoicePoint,
Inc. and TJX Companies in 2005, Target in 2013 and eBay in 2014.

Email addresses, encrypted passwords, birth dates and mailing addresses
were accessed from eBay in 2014, and the company was very slow to react,
taking weeks to notify customers who may have been affected, D’Arcy said.

“Their argument was since it wasn’t credit card data or drivers licenses,
they didn’t need to notify customers right away,” D’Arcy said. “Also,
because the passwords were in an encrypted format, their argument was that
it wasn’t sensitive.”

D’Arcy said information security and ethics are complicated and past
incidents should be viewed as learning opportunities instead of complete
failures.

“It’s easy to look at these cases and be all high and mighty, but the
reality is, ethics is difficult, and they’re dealing with pressures and
other factors,” he said. “We can certainly learn lessons from these cases
moving forward and begin to apply that ethical lens and acting on our
ethical obligations.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.