Deconstructing Data Breach Cost

Deconstructing the Cost of a Data Breach

Page 2

Agenda

• Introductions

• Deconstructing the cost of a data breach:• Data breaches can involve many types of data.• Data breaches can involve many types of costs.• The costs of a data breach can range from zero to more

than $170 million.

• Q&A

Page 3

Introductions: Today’s Speakers

• Ted Julian, Chief Marketing Officer, Co3 Systems• Security / compliance entrepreneur• Security industry analyst

• Patrick Florer, Co-Founder & CTO, Risk Centric Security• Fellow of and Chief Research Analyst at the Ponemon Institute.• 32 years of IT experience, including roles in IT operations,

development, and systems analysis• 17 years in parallel working in medical outcomes research,

analysis, and the creation of evidence-based guidelines for medical treatment

Page 4

Co3 Automates Breach Management

PREPARE

Improve Organizational Readiness• Assign response team• Describe environment• Simulate events and incidents• Focus on organizational gaps

REPORT

Document Results and Track Performance• Document incident results• Track historical performance• Demonstrate organizational

preparedness• Generate audit/compliance reports

ASSESS

Quantify Potential Impact, Support Privacy Impact Assessments• Track events• Scope regulatory requirements• See $ exposure• Send notice to team• Generate Impact Assessments

MANAGE

Easily Generate Detailed Incident Response Plans• Escalate to complete IR plan• Oversee the complete plan• Assign tasks: who/what/when• Notify regulators and clients• Monitor progress to completion

Page 5

About Risk Centric Security

• Risk Centric Security offers state of the art SaaS tools and training that empower Information Security Professionals to perform credible, defensible, and reproducible risk and decision analyses, and to articulate the results and relevance of these analyses in language that business counterparts will understand.

• Risk Centric Security was founded by two Information Technology and Information Security veterans who have more than forty years of combined experience providing solutions to complex problems for smaller companies as well as for companies in the Fortune 1000.

Risk Centric Security, Inc. www.riskcentricsecurity.com

Authorized reseller of ModelRisk from Vose Software

Page 6

What is a data breach?

Data Breach:

• A data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property.

• The law is evolving – basically a breach is an unauthorized use of a computer system.

• Many prosecutions take place under provisions of the Computer Fraud and Abuse Act (CFAA).

• Data breaches can also happen by accident or error.

Page 7

What is a data breach?

Data Breach:

• Is the concept of a breach too narrow to describe many types of events?

• Do we need different words and concepts?

-A single event at a single point in time? -What about an attack that exfiltrates data over a long

period of time?

Page 8

What kinds of data might be exposed?

• Operational Data• Intellectual Property• Financial Information• Personally Identifiable Information (PII)• Protected Health Information (PHI)

Page 9


Personally Identifiable Information (PII):

• The U.S. government used the term "personally identifiable" in 2007 in a memorandum from the Executive Office of the President, Office of Management and Budget (OMB, and that usage now appears in US standards such as the NIST Guide to Protecting the Confidentiality of Personally Identifiable Information (SP 800-122). The OMB memorandum defines PII as follows:

• Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.

Page 10

What data aren’t PII?

• Data that identify a person that are not considered protected:

• Name• Address• Phone number• Email address – things are changing with regard to e-mail

addresses• Facebook name• Twitter handle

Page 11

Is it PII or not?


• According to the OMB, it is not always the case that PII is "sensitive", and context may be taken into account in deciding whether certain PII is or is not sensitive.

• Geo-location data?

• Was the Epsilon breach a “breach”?

• Have there been other “non-breach” breaches?

• Given the powerful correlations that can be made, are these definitions too narrow?

Page 12


Protected Health Information (PHI):

Protected health information (PHI), under the US Health Insurance Portability and Accountability Act (HIPAA), is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. This is interpreted rather broadly and includes any part of a patient’s medical record or payment history.

POLL

What type of data does your company mainly collect/store?

Page 14

What costs are we going to discuss?

• Direct and Indirect Costs?

• Primary and Secondary Costs?

• Costs that we should be able to discover and/or estimate.

• Costs that might be difficult to discover and/or estimate.

Page 15


Costs that we should be able to discover and/or estimate:

• Lost productivity• Incident response and forensics costs• Costs of replacing lost or damaged hardware, software, or information• Public relations costs• Legal costs• Costs of sending letters to notify customers and business partners• Costs of providing credit monitoring• Fines from governmental action (HIPAA/HITECH, FTC, State

Attorneys General, etc.)

Page 16


Costs that we should be able to discover and/or estimate:

• Fines and indemnifications imposed by contracts with business partners

• Contractual fines and penalties resulting from PCI DSS related incidents - either data loss or compliance failure

• Judgments and legal settlements - customers, business partners, shareholders

• Additional compliance and audit costs related to legal settlements (20 years of additional reporting, for example)

Page 17


Costs that might be difficult to discover and/or estimate:

• Loss of competitive advantage• Loss of shareholder value• Reputation loss• Opportunity and Sales losses from customers and

business partners who went elsewhere• Value of intellectual property

Page 18

Whose costs are we going to discuss?

• Breached entity?• Shareholders?• Citizens / the public at large?• Card brands?• Issuing banks?• Customers?• Business partners?• Consumers?• Taxpayers (law enforcement costs)?

Page 19

How do we measure and estimate costs?

• Fixed / Overall Costs

Per record costs

• Direct/Primary

• Indirect/Secondary

• Variable costs that scale with magnitude of breach

Page 20

Sources of Data

How do we know about data breaches?• Victim notifications• News media• Securities and Exchange Commission (SEC) filings• Department of Justice (DOJ) indictments• HIPAA/HITECH Office of Civil Rights (OCR) actions• FTC actions• Press releases

Disclosure laws• HIPAA/HITECH• State breach laws• New SEC Guidance re “material” impact

Page 21

Sources of Data

Research projects:• Datalossdb.org (www.datalossdb.org) • Identity Theft Resource Center (www.idtheftcenter.org) • Office of Inadequate Security (www.databreaches.net)

Published reports:• Cisco• Mandiant• Ponemon Institute• Sophos• Symantec• Verizon Business DBIR• X-Force (IBM)

Page 22

Sources of Data

Non-public sources:

• Forensics Investigators• Card Brands• Payment Processors• Subscription services• Data sharing consortia – Information Sharing and Analysis

Centers (ISAC’s)• Government Intelligence agencies• Word of mouth and anecdotal evidence

Page 23

Some Estimates of Cost

Ponemon Institute 2011 Cost of Data Breach Study: United States

• 49 Companies surveyed – multiple people per company.• Breach sizes ranged from 5K – 100K exposed records.• Participants estimated the minimum and maximum

amounts for a number of costs, from which the mid-point value was selected.

• According to some legal experts, Ponemon Institute numbers are the “gold” standard in the Federal Courts.

• The raw data are published in the report appendix.

POLL

What do you think the average data breach cost per record is?

Page 25

Some Estimates of Cost: Ponemon Institute

In the 2011 report:

• Overall weighted average per record = $194 (down from $214 in 2010)

• Overall average total = $5.5 M (down from $7.2M in 2011)

Page 26


Page 27


Page 28

Some Estimates of Cost: Larger Breaches

DSW Shoes (2005):

• 1.4 million records / $6.5M – $9.5M (press releases)

• Cost per record = $4.64 – $6.79

Page 29


TJX (Dec, 2007):

• 90 million records / $171M – $191M (SEC filings)

• Accelerated CapEx = $250M (rumored)

• Cost per record = $1.90 – $2.12

Page 30


Heartland Payment Systems (Dec, 2009):

• 130 million records / $114 -$117M, after $31.2M recovery from insurance (SEC filings)

• Cost per record = ~$0.90

Page 31


Sony (Mar, 2011):

• 100 million records / $171M (Sony press release)

• Cost per record = $1.71

Page 32


Global Payments (June, 2011):

• 1.5 - 7 million records / $84.4M in 2012, $55 - $65M in 2013 (SEC filings)

• Up to $30M recovered through insurance (SEC filings)

• Total cost estimated to be $110M - $120M

• Cost per record = $15.71 - $80

Page 33


South Carolina Department of Revenue (October, 2012), as of 11/08/2012:

• 3.8M individual tax returns exposed – up from 3.6M • 657,000 business returns exposed• Two pronged attack – phish and malware• Data were not encrypted – Governor of SC stated it was

best practice not to encrypt• Outside forensics and legal have been retained• Total cost estimated to be $12M - $18M• Cost per record = $3 - 5

Page 34

Some Estimates of Cost: Correlations

• Measured on a per record basis, the cost per record declines as the size of the breach increases

• Measured on a total cost basis, the total cost increases as the number of exposed records increases

• Both of these correlations are weak

Page 35

Some Estimates of Cost: Ponemon Correlations

Page 36

Some Estimates of Cost: Ponemon Correlations

Page 37

Some Estimates of Cost: Ponemon + Other Data Correlations

Page 38


Page 39


Page 40


Page 41


Page 42


Normal Copula Correlation: Variable 1 = records, Variable 2 = Total Cost

Page 43


Page 44


Page 45


Page 46


Page 47

Are There Patterns in the Data?Log10 Frequency of Exposed Records

Page 48

Are the Patterns in the Data? Beta4 Distribution with Uncertainty

Page 49

Are there Patterns in the Data? Beta4 Quantile-Quantile (Q-Q) Plot

Page 50

Are there Patterns in the Data? Levy Distribution – a very poor fit

Page 51

Are There Patterns in the Data? Future Research

Model breach cost by size of breach, using a scale that is logarithmic (mostly):

• <5K records• 5K – 100K records• 100K – 1M records• 1M – 10M records• 10M – 100M records• >100M records

Page 52

Wrap-up

• We have covered many topics today. To summarize:

• Breaches can involve many types of data:

• To date, most reported breaches deal with PII, PHI, and credit card data.

• For many of these breaches, the number of records exposed is not reported, often because the number is unknown.

• Intellectual property breaches are seldom reported, possibly because they are so difficult to detect.

Page 53

Wrap-up

• Breaches involve many types of costs:

• In the largest credit card breaches, the majority of costs are due to settlements with the card brands.

• A PHI breach may result in fines that seem disproportionate to the number of records exposed.

• Per-record metrics are appropriate for some types of breaches (PII, PHI, CCard), but not others (IP).

• Brand damage and loss of stock value are difficult to measure, and, in some cases, do not appear to exist.

Page 54

Wrap-up

• The costs of a data breach can range from nothing to over $170 million.

• Breaches that are never detected cost nothing – nothing that can be measured, at least.

• Per the numbers from the 2011 Ponemon Institute Cost of Breach study, there is a wide variation in total breach cost: from $500K to over $20 million.

• For breaches that expose more than 1 million records, the reported costs per record vary greatly, ranging from as little as $0.90 (HPS) per record to as much as $80 per record (GP).

Page 55

Wrap-up

• There may be patterns in the data that can help us predict the cost of a breach, should it happen to us:

• The numbers of records exposed in reported breaches appear to follow a lognormal distribution.

• Although the correlations are not strong, total costs increase and per-record costs decrease as the number of exposed records increases.

• As breach size increases, some costs appear to scale more than others: forensics = less, notifications = more, credit monitoring = more, fines & judgments = more, customer loss = unknown

QUESTIONS

One Alewife Center, Suite 450

Cambridge, MA 02140

PHONE 617.206.3900

WWW.CO3SYS.COM

“Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.”

PC MAGAZINE, EDITOR’S CHOICE

“Co3…defines what software packages for privacy look like.”

GARTNER

“Platform is comprehensive, user friendly, and very well designed.”

PONEMON INSTITUTE

Patrick Florer

Co-Founder & CTO

Risk Centric Security, Inc.

214-828-1172

[email protected]

www.riskcentricsecurity.com

APPENDIX

Page 59


Operational Data:

• Unpublished phone numbers• Private email addresses• HR data about employees• Passwords and login credentials• Certificates• Encryption keys• Tokenization data• Network and infrastructure data

Page 60


Intellectual Property:

• Company confidential information• Financial information• Merger, acquisition, divestiture, marketing, and other plans• Product designs, plans, formulas, recipes

Page 61


Financial information:

• Credit / debit card data• Bank account and transit routing data• Financial trading account data• ACH credentials and data

Page 62

What is PII in the European Union?


• A term similar to PII, "personal data" is defined in EU directive 95/46/EC, for the purposes of the directive:[4]

Article 2a: 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

from wikipedia.com

Page 63

What is Protected Health Information (PHI)?

• PHI that is linked based on the following list of 18 identifiers must be treated with special care according to HIPAA:• Names• All geographical subdivisions smaller than a State, including street address,

city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000

• Dates (other than year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older

• Phone numbers

Page 64

What is Protected Health Information (PHI)?

Protected Health Information (PHI):• Fax numbers• Electronic mail addresses• Social Security numbers• Medical record numbers• Health plan beneficiary numbers• Account numbers• Certificate/license numbers• Vehicle identifiers and serial numbers, including license plate numbers;• Device identifiers and serial numbers;• Web Uniform Resource Locators (URLs)• Internet Protocol (IP) address numbers• Biometric identifiers, including finger, retinal and voice prints• Full face photographic images and any comparable images• Any other unique identifying number, characteristic, or code (note this does not

mean the unique code assigned by the investigator to code the data)

Page 65

How do we estimate costs – Intellectual Property

How to value?• Fair Market Value• Cost to Create• Historical Value

Methodologies:• Cost Approach: Reproduction or Replacement• Market Approach• Income Approach• Relief from Royalty Approach• Technology Factor