While the expansion of technology—especially the Internet—delivers many benefits, it also produces risks and threats to both individuals and organizations. One of those threats is cyber security, where criminals use technology, stealth, and cunning to rob others. One popular crime among cybercriminals is identity (ID) theft, which has become rampant with costs totaling millions each year. These criminals find a bonanza if they can successfully perpetrate a “data breach” where they break into a system and database to steal data. This data is usually in the form of personal identifiable information (or PII), including addresses, social security numbers, bank account numbers, or data on credit/debit cards—which is an even more direct way to perpetrate ID theft.
The Data Breach Problem
Even large sophisticated organizations can have their systems penetrated with a data breach and lose thousands, even millions, of people’s PII or data on credit/debit cards. There are some safety measures to help prevent this crime—or at least detect it early. But the truth is that many organizations are susceptible, and do not know it!
Each year, million data records are stolen in hundreds of different incidents. Ponemon Institute surveys show the average cost of a data breach for organizations is over $7M in the U.S. The same surveys report that 90% of those entities had at least one breach in the prior year. Before small and medium sized businesses assume they are not at risk, consider that PC World says data breach is a fairly common occurrence among companies of all sizes. In addition, several cyber-attacks are aimed specifically at small to medium sized businesses (SMBs).
A good example is a data breach that was perpetrated against the Department of Revenue for the state of South Carolina, and its data records in those systems. According to reports, about 3.6M records were compromised in the data breach. The cybercriminals got social security numbers and other PII, which can be used to perpetrate ID theft crimes. Thieves also accessed data on 387K credit/debit cards. Stolen records covered over 15 years of data. Fortunately, the state used encryption on recent credit/debit cards, and only 16K records were unencrypted. However, cybercriminals are tech savvy, and there is a chance they might take the time to break the encryption on those records.
A cybercriminal attacked the systems of South Carolina from a foreign internet address, and again in a month later – this time gaining access to the tax returns back several years. The attack went unnoticed for about 70 days, when the U.S. Secret Service electronic crimes task force detected the crime. It took 10 more days for South Carolina to lock down their systems and secure their data. Note that SC did not discover the crime itself – there was outside detection. It is possible the crime would have gone undetected for much longer.
Governor Nikki Haley declared it was “creative,” which brings up one of the points about data breaches and similar cybercrimes. Cybercriminals, as stated above, are tech savvy and therefore are fully capable of conducting sophisticated, crafty, and “creative” attacks to steal data. A second point is that the cybercriminal often targets his victim specifically. Thirdly, often these attacks are associated with cyber gangs who live in foreign countries that are safe havens for them. Data breach and resulting ID theft is the new international crime wave.
The risks include costs associated with:
- IT repairs and mitigation activities
- Costs associated with protecting PII of customers
- Loss of public image and relations
Obviously, the initial costs are associated with mitigating the vulnerability, or “loop hole,” that allowed the breach to occur. IT professionals have to figure out how the cybercriminal accessed their system, how to patch it, and how to prevent it from happening again. Remember, it took South Carolina 10 days to do all of that, plus the costs of technologies and other purchases. Sometimes, a consultant subject matter expert (SME) might be needed to “fix” the loop hole.
Monetary costs related to customers typically involves the organization providing credit monitoring (usually for one year), and sometimes an insurance policy—often for as much as $1M—to cover future fraud based on stolen PII. Think about an organization that has 3.6M such clients and calculate the total costs of these two provisions.
Then there is the effect of a publicized data breach on the reputation and public image of the victim organization. While it is difficult to assign a specific monetary figure to this situation, almost everyone would agree there is some level of cost in this intangible circumstance.
Finally, there can be legal fees. If individuals sue the victim organization for not protecting their PII, the victim has to pay money to defend itself because it is a victim of a cybercrime – a paradox to say the least. Settlement costs can be significant, and if the case goes to court and the organization loses the lawsuit, then there could be stiff costs associated with the court’s decision.
Executives need to understand that the risk is not just that their organization can become a victim of a data breach or that the organization may end up in court. The risk goes beyond that. There is a new expansion of legal risk.
Over the last few years, about 47 states have passed a security (data) breach law. Businesses who fall victim to a data breach may also be found guilty of a violation of one or more states’ security breach law. A few years ago, choicepoint.com had a breach that cost them millions of dollars in fines and mandatory security audits for years.
In recent years, the federal government has tried to craft a bill and is attempt to pass a federal security breach law similar to those enacted by those 47 states. The bill contained language to set a national standard for data breach notification to the victim’s clients, and it would replace existing state laws. It would also set maximum damages the victim would have to pay its clients, and define specifically what a breach is. To date that bill has not been passed.
But more than the pending federal law is the legal risk of existing law, and the way courts are interpreting them. Up until a couple of years ago, courts dismissed a lot of claims of damages due to data breach similar to the one in South Carolina. Victims had to show specific damages, and often the data would have been stolen but the cybercriminals had not used a person’s data—yet.
Now judges are allowing class action suits related to data breaches. And more, they are considering the fact that there is a lag between theft of PII and use of PII to conduct ID theft crimes that do involve monetary damages, but not until weeks or months after the theft. Now judges consider lawsuits that can show a real possibility of future damages. Organizations will need to make sure their insurance is adequate to handle this rare but possible event.
Although it is impossible to prevent all data breach attacks, the courts have taken a stance on reasonable protection. The metric for that reasonableness is best practices in cyber security to protect against a data breach. That is, the more the entity has adopted those best practices, the less likely the court is to settle on behalf of the plaintiff or the lower the settlement. Conversely, the less the defendant has employed best practices, then the more likely the judge or court is to rule in favor of plaintiffs, and the higher the settlement.
According to a study by Temple University Beasley School of Law, in the case of a lawsuit associated with a data breach, the average settlement award is $2,500 per plaintiff, and the average attorney fees are $1.2M. As can easily be seen, the potential legal costs are a significant risk that no executive wants to have to address as the result of a data breach. These costs are additional to the ones mentioned in the last section.
Next Steps to Defend from a Cybersecurity Attack
Organizations must evaluate the risks associated with a data breach. If an organization maintains PII of individuals who are basically a customer, then the higher the number of such customers, the higher the inherent risk. In the case of SC above, the initial risk assessment is quite large with millions of “customers.” Then, the entity must evaluate its level of security over PII. It could be that the entity has sufficiently addressed the risk by employing the necessary best practices. But it the entity has not done an assessment, it is likely to be quite vulnerable and susceptible to large costs of a data breach, and it is likely they have not employed a sufficient level of best practices. In this process, the organization should assess the need for outside assistance of a SME.
A key takeaway from this article is related to the legal aspect. Entities that maintain large databases of individuals and their PII, especially government agencies, should be prepared for a data breach by doing due diligence, as defined by cyber security profession. That includes such preparation as ensuring an adequate level of best practices have been employed, and an incident response plan is in place to handle all of the aspects of risks and costs mentioned herein.
When this attack happened in South Carolina, many of the people who thought they might be victims called the South Carolina Society of CPAs and asked for help from a CPA, or they called their CPA for assistance. If you have questions, please call the CRI cybersecurity team. We would be pleased to assist you in assessing this risk and/or getting adequately prepared.