​Does the board level need to lawyer up about data breach protection?

In the shadow of Ashley Madison where personal profiles have been breached and there have been examples of public servants using their work email addresses for extra curricular activities.

By definition a data breach is the intentional or unintentional release of secure information to an untrusted environment. Other terms for this phenomenon include unintentional information disclosure, data leak and also data spill.

So what is the enterprise position on this? How do you deal with this is it merely about protecting one’s backside or can you be more pragmatic?

How large is the problem?

You can see from the following graphic that there have been broad and extensive examples of data breaches. This ranges from hacks, accidental, insider and where technology has been stolen.

There are so many examples that they actually don’t fit into one screen shot. The names include large enterprises that have professional IT Security organisations and a CISO. Most of these organisations are larger than I’m sure many of your own institutions.

The question is if they cannot avoid this risk, then how can you?

Source:

Call in the Lawyers

It is interesting to think about if they should be the first guys to call. For most organisations they need to first call their insurance broker and understand what cyber security policy coverage is included? For most organisations, there will be some degree of insurance protection that has been included. But I can guarantee if you have a large breach (or a big bubble as in the picture) then whatever coverage you have will be inadequate.

Yes, do call the lawyers. But that’s then all about damage control as it is too late.

The key is that the trend is for many of these data breaches to also include an element of current and future threat. It is impossible to have exact clarity when it is going to be all clear.

The Price of Hacked Information

Everything has a price, here are a few examples to illustrate the extent of the problem. It is interesting to understand that the market for certain information is much more lucrative for the hackers. For more information, I suggest that you check out [1]

• Credit Card – Premium Card with Big Balance $250
• Credit Card and Social Security Number $5
• DDOS a Website $911,000 for gambling website
• Doxing Someone $25 to $100
• Email Addresses – Gmail $200 for 1,000
• Email Addresses – Hotmail $12 for 1,000
• Email Addresses – Yahoo $10 for 1,000
• Facebook Likes $15 for 1,000
• Facebook Spam $13 for page with 30,000 fans
• Hacked Webcam of Boy $0.01
• Hacked Webcam of Girl $1
• Hacking Classes $75
• Online Bank Account – EU4 – 6% of account balance
• Online Bank Account – USA2% of account balance
• Online Extortion $50 to $15,000 in Sextortion Blackmail
• Online Game Hackers$16,000 per month in China
• PayPal Account 6 to 20% of account balance
• Remote Administration Tool $40 for Blackshades
• Stolen Health Insurance Information $1,200 to $1,300
• Twitter Followers $15 for 10,000 Fake Followers
• Website Traffic $1 for 1,000 fake visitors

Yes, that’s correct there is a big payday for a DDOS on a Gambling website, but only $1 to hack my webcam.

The True Cost

Unfortunately the true cost of a data breach is ongoing. From my own personal experience I have the fun experience of receiving a random email at least once every second month. The most recent was from a Bank on the USA East Coast for a customer satisfaction survey.

This all relates to a hacked email account from two years ago, there is a long tail on the inconvenience of this data loss. Since then I’ve applied for a micro loan in London, had a utility van serviced in mid west USA and now have a new bank account on the east coast.

For every case, after I check that this is a real company and not a phising site – then I will make contact and try to ensure that my identity theft is made aware. Of course the funniest was the London loan and after I reported this to the Financial Institution, I asked would they share the details of the address etc. They declined, which is funny as I thought that was myself that was the innocent party.

Regardless of which organisation and the measures that you take, it is impossible to guarantee that your organisation will not experience a data breach. You just have to hope that is a minor one and not one that makes the headlines, thus being one of the bigger bubbles.