Deconstructing The Cost Of A Data Breach

Risk Centric Security, Inc.
www.riskcentricsecurity.com
Authorized reseller of ModelRisk from Vose Software
Risk Centric Security, Inc. Confidential and Proprietary .
Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
Risk Analysis for the 21st Century®

Risk Centric Security, Inc. Confidential and Proprietary .
Patrick Florer has worked in information technology for
32 years. In addition, he worked a parallel track in
medical outcomes research, analysis, and the creation of
evidence-based guidelines for medical treatment. His
roles have included IT operations, programming, and
systems analysis. From 1986 until now, he has worked as
an independent consultant, helping customers with
strategic development, analytics, risk analysis, and
decision analysis. He is a cofounder of Risk Centric
Security and currently serves as Chief Technology Officer.

What is a breach?
What are data?
What kinds of costs are we talking about?
Whose costs are we talking about?
How do we estimate costs / impact?
Risk Centric Security, Inc. Confidential and Proprietary.

breach
1. a. An opening, a tear, or a rupture.
b. A gap or rift, especially in or as if in a solid structure such as
a dike or fortification.
2. A violation or infraction, as of a law, a legal obligation, or a
promise.
3. A breaking up or disruption of friendly relations; an
estrangement.
4. A leap of a whale from the water.
5. The breaking of waves or surf.
The American Heritage® Dictionary of the English Language, Fourth Edition copyright ©2000 by
Houghton Mifflin Company. Updated in 2009. Published by Houghton Mifflin Company. All rights
reserved
.

breach
1. a crack, break, or rupture
2. a breaking, infringement, or violation of a promise, obligation,
etc
3. any severance or separation
4. (Military) a gap in an enemy's fortifications or line of defense
created by bombardment or attack
5. (Life Sciences & Allied Applications / Zoology) the act of a
whale in breaking clear of the water
6. (Earth Sciences / Physical Geography) the breaking of sea
waves on a shore or rock
7. (Medicine / Pathology) an obsolete word for wound1
Collins English Dictionary – Complete and Unabridged © HarperCollins Publishers 1991, 1994, 1998,
2000, 2003
.
.

breach
1. the act or a result of breaking; break or rupture.
2. an infraction or violation, as of a law, trust, faith, or promise.
3. a gap made in a wall, fortification, line of soldiers, etc.; rift;
fissure.
4. a severance of friendly relations.
5. the leap of a whale above the surface of the water.
www.dictionary.com
.

Data Breach:
A data breach is an incident in which sensitive, protected or
confidential data has potentially been viewed, stolen or used by
an individual unauthorized to do so. Data breaches may involve
personal health information (PHI), personally identifiable
information (PII), trade secrets or intellectual property.
The law is evolving – basically a breach is an unauthorized use of a
computer system.
Many prosecutions take place under provisions of the Computer
Fraud and Abuse Act (CFAA)
.

Data Breach:
Is the concept of a breach too narrow to describe many types of
events?
Do we need different words and concepts?
• A single event at a single point in time?
• What about an attack that exfiltrates data over a long period of
time?
.

Operational Data
Intellectual Property
Financial Information
Personal Information
Personally Identifiable Information (PII)
Protected Health Information (PHI)

Operational Data:
• Unpublished phone numbers
• Private email addresses
• Passwords and login credentials
• Certificates
• Encryption keys
• Tokenization data
• Network and infrastructure data

Intellectual Property:
• Company confidential information
• Financial information
• Merger, acquisition, divestiture, marketing, and
other plans
• Product designs, plans, formulas, recipes
• HR data about employees

Financial Information:
• Credit / debit card data
• Bank account and transit routing data
• Financial trading account data
• ACH credentials and data

Personally Information:
Data that identify a person that are not considered
protected:
• Name
• Address
• Phone number
• Email address
• Facebook name
• Twitter handle

Personally Identifiable Information (PII):
The U.S. government used the term "personally identifiable" in
2007 in a memorandum from the Executive Office of the President,
Office of Management and Budget (OMB),[2] and that usage now
appears in US standards such as the NIST Guide to Protecting the
Confidentiality of Personally Identifiable Information (SP 800-122).[3]
The OMB memorandum defines PII as follows:
• Information which can be used to distinguish or trace an
individual's identity, such as their name, social security number,
biometric records, etc. alone, or when combined with other
personal or identifying information which is linked or linkable to
a specific individual, such as date and place of birth, mother’s
maiden name, etc.
from wikipedia.com

A term similar to PII, "personal data" is defined in EU directive
95/46/EC, for the purposes of the directive:[4]
Article 2a: 'personal data' shall mean any information relating
to an identified or identifiable natural person ('data subject');
an identifiable person is one who can be identified, directly or
indirectly, in particular by reference to an identification
number or to one or more factors specific to his physical,
physiological, mental, economic, cultural or social identity;
From wikipedia.com:

According to the OMB, it is not always the case that PII is
"sensitive", and context may be taken into account in deciding
whether certain PII is or is not sensitive.
Was the Epsilon breach a “breach”?
Have there been other “non-breach” breaches?
Given the powerful correlations that can be made,
are these definitions too narrow?

Protected Health Information (PHI):
Protected health information (PHI), under the US Health
Insurance Portability and Accountability Act (HIPAA), is any
information about health status, provision of health care, or
payment for health care that can be linked to a specific
individual. This is interpreted rather broadly and includes any
part of a patient’s medical record or payment history.

PHI that is linked based on the following list of 18 identifiers must
be treated with special care according to HIPAA:
• Names
• All geographical subdivisions smaller than a State, including street address,
city, county, precinct, zip code, and their equivalent geocodes, except for
the initial three digits of a zip code, if according to the current publicly
available data from the Bureau of the Census: (1) The geographic unit
formed by combining all zip codes with the same three initial digits contains
more than 20,000 people; and (2) The initial three digits of a zip code for all
such geographic units containing 20,000 or fewer people is changed to 000
• Dates (other than year) for dates directly related to an individual, including
birth date, admission date, discharge date, date of death; and all ages over
89 and all elements of dates (including year) indicative of such age, except
that such ages and elements may be aggregated into a single category of
age 90 or older
• Phone numbers

• Fax numbers
• Electronic mail addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plate numbers;
• Device identifiers and serial numbers;
• Web Uniform Resource Locators (URLs)
• Internet Protocol (IP) address numbers
• Biometric identifiers, including finger, retinal and voice prints
• Full face photographic images and any comparable images
• Any other unique identifying number, characteristic, or code (note this does
not mean the unique code assigned by the investigator to code the data)

Costs that we should be able to discover and/or
estimate
Costs that might be difficult to discover and/or
estimate

estimate:
• Lost productivity
• Incident response and forensics costs
• Costs of replacing lost or damaged hardware, software, or
information
• Public relations costs
• Legal costs
• Costs of sending letters to notify customers and business
partners
• Costs of providing credit monitoring
• Fines from governmental action (HIPAA/HITECH, FTC, State
Attorneys General, etc.)

estimate:
• Fines and indemnifications imposed by contracts with
business partners
• Contractual fines and penalties resulting from PCI DSS
related incidents - either data loss or compliance failure
• Judgments and legal settlements - customers, business
partners, shareholders
• Additional compliance and audit costs related to legal
settlements (20 years of additional reporting, for example)

Costs that might be difficult to discover and/or estimate:
• Loss of competitive advantage
• Loss of shareholder value
• Reputation loss
• Opportunity and Sales losses from customers and business
partners who went elsewhere
• Value of intellectual property

• Breached entity?
• Shareholders?
• Citizens / the public at large?
• Card brands?
• Issuing banks?
• Customers?
• Business partners?
• Consumers?
• Taxpayers (law enforcement costs)?

Fixed / Overall Costs
Per record costs:
• Direct/Primary
• Indirect/Secondary
• Variable costs that scale with magnitude of breach

How to value?
• Fair Market Value
• Fair Value
• Historical Value
Methodologies:
• Cost Approach
• Market Approach
• Income Approach
• Relief from Royalty Approach
• Technology Factor

How do we know about data breaches?
• Victim notifications
• News media
• Securities and Exchange Commission (SEC) filings
• Department of Justice (DOJ) indictments
• HIPAA/HITECH Office of Civil Rights (OCR) actions
• FTC actions
• Press releases
Disclosure laws
• HIPAA/HITECH
• State breach laws
• New SEC Guidance re “material” impact

Research projects:
• Datalossdb.org (www.datalossdb.org)
• Identity Theft Resource Center (www.idtheftcenter.org)
• Office of Inadequate Security (www.databreaches.net)
Published reports:
• Cisco
• Mandiant
• Ponemon Institute
• Sophos
• Symantec
• Verizon Business DBIR
• X-Force (IBM)

Non-public sources:
• Forensics Investigators
• Card Brands
• Payment Processors
• Subscription services
• Data sharing consortia – Information Sharing and Analysis
Centers (ISAC’s)
• Government Intelligence agencies
• Word of mouth and anecdotal evidence

Thank you !
Patrick Florer
CTO and Co-founder
Risk Centric Security, Inc
patrick@riskcentricsecurity.com
214.828.1172
Authorized reseller of ModelRisk from Vose Software
To provide feedback on this presentation:
https://www.surveymonkey.com/sourceboston12
Risk Analysis for the 21st Century ®

Deconstructing The Cost Of A Data Breach

Recomendados

Recomendados

Más contenido relacionado

Destacado

Destacado (6)

Similar a Deconstructing The Cost Of A Data Breach

Similar a Deconstructing The Cost Of A Data Breach (20)

Deconstructing The Cost Of A Data Breach