Deconstructing the Cost of a Data Breach

Agenda

Introductions Deconstructing the cost of a data breach: Data breaches can involve many types of data. Data breaches can involve many types of costs. The costs of a data breach can range from zero to more than $170 million. Q&A

Page 2

Introductions: Todays Speakers

Ted Julian, Chief Marketing Officer, Co3 Systems Security / compliance entrepreneur Security industry analyst Patrick Florer, Co-Founder & CTO, Risk Centric Security Fellow of and Chief Research Analyst at the Ponemon Institute. 32 years of IT experience, including roles in IT operations, development, and systems analysis 17 years in parallel working in medical outcomes research, analysis, and the creation of evidence-based guidelines for medical treatment

Page 3

Co3 Automates Breach Management

PREPARE Improve Organizational Readiness
Assign response team Describe environment Simulate events and incidents Focus on organizational gaps

ASSESS Quantify Potential Impact, Support Privacy Impact Assessments

Track events Scope regulatory requirements See $ exposure Send notice to team Generate Impact Assessments

REPORT Document Results and Track Performance

Document incident results Track historical performance Demonstrate organizational preparedness Generate audit/compliance reports

MANAGE Easily Generate Detailed Incident Response Plans

Escalate to complete IR plan Oversee the complete plan Assign tasks: who/what/when Notify regulators and clients Monitor progress to completion

Page 4

About Risk Centric Security

Risk Centric Security offers state of the art SaaS tools and training that empower Information Security Professionals to perform credible, defensible, and reproducible risk and decision analyses, and to articulate the results and relevance of these analyses in language that business counterparts will understand. Risk Centric Security was founded by two Information Technology and Information Security veterans who have more than forty years of combined experience providing solutions to complex problems for smaller companies as well as for companies in the Fortune 1000.

Risk Centric Security, Inc.

www.riskcentricsecurity.com
Authorized reseller of ModelRisk from Vose Software

Page 5

What is a data breach?

Data Breach:
A data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property. The law is evolving basically a breach is an unauthorized use of a computer system. Many prosecutions take place under provisions of the Computer Fraud and Abuse Act (CFAA). Data breaches can also happen by accident or error.

Page 6

What is a data breach?

Data Breach:

Is the concept of a breach too narrow to describe many types of events?

Do we need different words and concepts? -A single event at a single point in time? -What about an attack that exfiltrates data over a long period of time?

Page 7

What kinds of data might be exposed?

Operational Data Intellectual Property Financial Information Personally Identifiable Information (PII) Protected Health Information (PHI)

Page 8

What kinds of data might be exposed? Personally Identifiable Information (PII):

The U.S. government used the term "personally identifiable" in 2007 in a memorandum from the Executive Office of the President, Office of Management and Budget (OMB, and that usage now appears in US standards such as the NIST Guide to Protecting the Confidentiality of Personally Identifiable Information (SP 800-122). The OMB memorandum defines PII as follows:
Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mothers maiden name, etc.

Page 9

What data arent PII? Data that identify a person that are not considered protected:
Name Address Phone number Email address things are changing with regard to e-mail addresses Facebook name Twitter handle

Page 10

Is it PII or not?
Personally Identifiable Information (PII):
According to the OMB, it is not always the case that PII is "sensitive", and context may be taken into account in deciding whether certain PII is or is not sensitive. Geo-location data? Was the Epsilon breach a breach? Have there been other non-breach breaches?

Given the powerful correlations that can be made, are these definitions too narrow?

Page 11

What kinds of data might be exposed? Protected Health Information (PHI):

Protected health information (PHI), under the US Health Insurance Portability and Accountability Act (HIPAA), is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. This is interpreted rather broadly and includes any part of a patients medical record or payment history.

Page 12

POLL

What costs are we going to discuss? Direct and Indirect Costs? Primary and Secondary Costs? Costs that we should be able to discover and/or estimate.

Costs that might be difficult to discover and/or estimate.

Page 14

What costs are we going to discuss? Costs that we should be able to discover and/or estimate:
Lost productivity Incident response and forensics costs Costs of replacing lost or damaged hardware, software, or information Public relations costs Legal costs Costs of sending letters to notify customers and business partners Costs of providing credit monitoring Fines from governmental action (HIPAA/HITECH, FTC, State Attorneys General, etc.)

Page 15

What costs are we going to discuss? Costs that we should be able to discover and/or estimate:
Fines and indemnifications imposed by contracts with business partners Contractual fines and penalties resulting from PCI DSS related incidents - either data loss or compliance failure Judgments and legal settlements - customers, business partners, shareholders Additional compliance and audit costs related to legal settlements (20 years of additional reporting, for example)

Page 16

What costs are we going to discuss? Costs that might be difficult to discover and/or estimate:
Loss of competitive advantage Loss of shareholder value Reputation loss Opportunity and Sales losses from customers and business partners who went elsewhere Value of intellectual property

Page 17

Whose costs are we going to discuss?

Breached entity? Shareholders? Citizens / the public at large? Card brands? Issuing banks? Customers? Business partners? Consumers? Taxpayers (law enforcement costs)?

Page 18

How do we measure and estimate costs?

Fixed / Overall Costs Per record costs Direct/Primary Indirect/Secondary

Variable costs that scale with magnitude of breach

Page 19

Sources of Data How do we know about data breaches?

Victim notifications News media Securities and Exchange Commission (SEC) filings Department of Justice (DOJ) indictments HIPAA/HITECH Office of Civil Rights (OCR) actions FTC actions Press releases

Disclosure laws
HIPAA/HITECH State breach laws New SEC Guidance re material impact

Page 20

Sources of Data Research projects:

Datalossdb.org (www.datalossdb.org) Identity Theft Resource Center (www.idtheftcenter.org) Office of Inadequate Security (www.databreaches.net)

Published reports:
Cisco Mandiant Ponemon Institute Sophos Symantec Verizon Business DBIR X-Force (IBM)
Page 21

Sources of Data Non-public sources:

Forensics Investigators Card Brands Payment Processors Subscription services Data sharing consortia Information Sharing and Analysis Centers (ISACs) Government Intelligence agencies Word of mouth and anecdotal evidence

Page 22

Some Estimates of Cost Ponemon Institute 2011 Cost of Data Breach Study: United States
49 Companies surveyed multiple people per company. Breach sizes ranged from 5K 100K exposed records. Participants estimated the minimum and maximum amounts for a number of costs, from which the mid-point value was selected. According to some legal experts, Ponemon Institute numbers are the gold standard in the Federal Courts. The raw data are published in the report appendix.

Page 23

POLL

Some Estimates of Cost: Ponemon Institute In the 2011 report:

Overall weighted average per record = $194 (down from $214 in 2010)

Overall average total = $5.5 M (down from $7.2M in 2011)

Page 25

Some Estimates of Cost: Ponemon Institute

Page 26

Some Estimates of Cost: Ponemon Institute

Page 27

Some Estimates of Cost: Larger Breaches DSW Shoes (2005):

1.4 million records / $6.5M $9.5M (press releases) Cost per record = $4.64 $6.79

Page 28

Some Estimates of Cost: Larger Breaches TJX (Dec, 2007):

90 million records / $171M $191M (SEC filings) Accelerated CapEx = $250M (rumored) Cost per record = $1.90 $2.12

Page 29

Some Estimates of Cost: Larger Breaches Heartland Payment Systems (Dec, 2009):
130 million records / $114 -$117M, after $31.2M recovery from insurance (SEC filings)

Cost per record = ~$0.90

Page 30

Some Estimates of Cost: Larger Breaches Sony (Mar, 2011):

100 million records / $171M (Sony press release) Cost per record = $1.71

Page 31

Some Estimates of Cost: Larger Breaches Global Payments (June, 2011):

1.5 - 7 million records / $84.4M in 2012, $55 - $65M in 2013 (SEC filings)

Up to $30M recovered through insurance (SEC filings)

Total cost estimated to be $110M - $120M Cost per record = $15.71 - $80

Page 32

Some Estimates of Cost: Larger Breaches South Carolina Department of Revenue (October, 2012), as of 11/08/2012:
3.8M individual tax returns exposed up from 3.6M 657,000 business returns exposed Two pronged attack phish and malware Data were not encrypted Governor of SC stated it was best practice not to encrypt Outside forensics and legal have been retained Total cost estimated to be $12M - $18M Cost per record = $3 - 5
Page 33

Some Estimates of Cost: Correlations Measured on a per record basis, the cost per record declines as the size of the breach increases Measured on a total cost basis, the total cost increases as the number of exposed records increases Both of these correlations are weak

Page 34

Some Estimates of Cost: Ponemon Correlations

Page 35

Some Estimates of Cost: Ponemon Correlations

Page 36

Some Estimates of Cost: Ponemon + Other Data Correlations

Page 37

Some Estimates of Cost: Ponemon + Other Data Correlations

Page 38

Some Estimates of Cost: Ponemon + Other Data Correlations

Page 39

Some Estimates of Cost: Ponemon + Other Data Correlations

Page 40

Some Estimates of Cost: Ponemon + Other Data Correlations

Page 41

Some Estimates of Cost: Ponemon + Other Data Correlations

Normal Copula Correlation: Variable 1 = records, Variable 2 = Total Cost

Page 42

Some Estimates of Cost: Ponemon + Other Data Correlations

Page 43

Some Estimates of Cost: Ponemon + Other Data Correlations

Page 44

Some Estimates of Cost: Ponemon + Other Data Correlations

Page 45

Some Estimates of Cost: Ponemon + Other Data Correlations

Page 46

Are There Patterns in the Data? Log10 Frequency of Exposed Records

Page 47

Are the Patterns in the Data? Beta4 Distribution with Uncertainty

Page 48

Are there Patterns in the Data? Beta4 QuantileQuantile (Q-Q) Plot

Page 49

Are there Patterns in the Data? Levy Distribution a very poor fit

Page 50

Are There Patterns in the Data? Future Research

Model breach cost by size of breach, using a scale that is logarithmic (mostly):
<5K records 5K 100K records 100K 1M records 1M 10M records 10M 100M records >100M records

Page 51

Wrap-up We have covered many topics today. To summarize:

Breaches can involve many types of data: To date, most reported breaches deal with PII, PHI, and credit card data. For many of these breaches, the number of records exposed is not reported, often because the number is unknown. Intellectual property breaches are seldom reported, possibly because they are so difficult to detect.
Page 52

Wrap-up

Breaches involve many types of costs: In the largest credit card breaches, the majority of costs are due to settlements with the card brands. A PHI breach may result in fines that seem disproportionate to the number of records exposed. Per-record metrics are appropriate for some types of breaches (PII, PHI, CCard), but not others (IP). Brand damage and loss of stock value are difficult to measure, and, in some cases, do not appear to exist.

Page 53

Wrap-up
The costs of a data breach can range from nothing to over $170 million. Breaches that are never detected cost nothing nothing that can be measured, at least. Per the numbers from the 2011 Ponemon Institute Cost of Breach study, there is a wide variation in total breach cost: from $500K to over $20 million. For breaches that expose more than 1 million records, the reported costs per record vary greatly, ranging from as little as $0.90 (HPS) per record to as much as $80 per record (GP).
Page 54

Wrap-up
There may be patterns in the data that can help us predict the cost of a breach, should it happen to us: The numbers of records exposed in reported breaches appear to follow a lognormal distribution. Although the correlations are not strong, total costs increase and per-record costs decrease as the number of exposed records increases. As breach size increases, some costs appear to scale more than others: forensics = less, notifications = more, credit monitoring = more, fines & judgments = more, customer loss = unknown
Page 55

QUESTIONS

Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors Choice.
PC MAGAZINE, EDITORS CHOICE

One Alewife Center, Suite 450 Cambridge, MA 02140 PHONE 617.206.3900

WWW.CO3SYS.COM

Co3defines what software packages for privacy look like.

GARTNER

Platform is comprehensive, user friendly, and very well designed.

PONEMON INSTITUTE

Patrick Florer Co-Founder & CTO Risk Centric Security, Inc. 214-828-1172 patrick@riskcentricsecurity.com www.riskcentricsecurity.com

APPENDIX

What kinds of data might be exposed? Operational Data:

Unpublished phone numbers Private email addresses HR data about employees Passwords and login credentials Certificates Encryption keys Tokenization data Network and infrastructure data

Page 59

What kinds of data might be exposed? Intellectual Property:

Company confidential information Financial information Merger, acquisition, divestiture, marketing, and other plans Product designs, plans, formulas, recipes

Page 60

What kinds of data might be exposed? Financial information:

Credit / debit card data Bank account and transit routing data Financial trading account data ACH credentials and data

Page 61

What is PII in the European Union? Personally Identifiable Information (PII):

A term similar to PII, "personal data" is defined in EU directive 95/46/EC, for the purposes of the directive:[4] Article 2a: 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

from wikipedia.com

Page 62

What is Protected Health Information (PHI)?

PHI that is linked based on the following list of 18 identifiers must be treated with special care according to HIPAA:
Names All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000 Dates (other than year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older Phone numbers
Page 63

What is Protected Health Information (PHI)?

Protected Health Information (PHI): Fax numbers Electronic mail addresses Social Security numbers Medical record numbers Health plan beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers and serial numbers, including license plate numbers; Device identifiers and serial numbers; Web Uniform Resource Locators (URLs) Internet Protocol (IP) address numbers Biometric identifiers, including finger, retinal and voice prints Full face photographic images and any comparable images Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)
Page 64

How do we estimate costs Intellectual Property How to value?

Fair Market Value Cost to Create Historical Value

Methodologies:
Cost Approach: Reproduction or Replacement Market Approach Income Approach Relief from Royalty Approach Technology Factor

Page 65