2. Agenda
• Introductions
• Deconstructing the cost of a data breach:
• Data breaches can involve many types of data.
• Data breaches can involve many types of costs.
• The costs of a data breach can range from zero to more
than $170 million.
• Q&A
Page 2
3. Introductions: Today’s Speakers
• Ted Julian, Chief Marketing Officer, Co3 Systems
• Security / compliance entrepreneur
• Security industry analyst
• Patrick Florer, Co-Founder & CTO, Risk Centric Security
• Fellow of and Chief Research Analyst at the Ponemon Institute.
• 32 years of IT experience, including roles in IT operations,
development, and systems analysis
• 17 years in parallel working in medical outcomes research,
analysis, and the creation of evidence-based guidelines for medical
treatment
Page 3
4. Co3 Automates Breach Management
PREPARE ASSESS
Improve Organizational Quantify Potential Impact,
Readiness Support Privacy Impact
• Assign response team Assessments
• Describe environment • Track events
• Simulate events and incidents • Scope regulatory requirements
• Focus on organizational gaps • See $ exposure
• Send notice to team
• Generate Impact Assessments
REPORT MANAGE
Document Results and Easily Generate Detailed
Track Performance Incident Response Plans
• Document incident results • Escalate to complete IR plan
• Track historical performance • Oversee the complete plan
• Demonstrate organizational • Assign tasks: who/what/when
preparedness • Notify regulators and clients
• Generate audit/compliance reports • Monitor progress to completion
Page 4
5. About Risk Centric Security
• Risk Centric Security offers state of the art SaaS tools and training that
empower Information Security Professionals to perform credible,
defensible, and reproducible risk and decision analyses, and to
articulate the results and relevance of these analyses in language that
business counterparts will understand.
• Risk Centric Security was founded by two Information Technology and
Information Security veterans who have more than forty years of
combined experience providing solutions to complex problems for
smaller companies as well as for companies in the Fortune 1000.
Risk Centric Security, Inc.
www.riskcentricsecurity.com
Authorized reseller of ModelRisk from Vose Software
Page 5
6. What is a data breach?
Data Breach:
• A data breach is an incident in which sensitive, protected or confidential data
has potentially been viewed, stolen or used by an individual unauthorized to
do so. Data breaches may involve personal health information (PHI),
personally identifiable information (PII), trade secrets or intellectual property.
• The law is evolving – basically a breach is an unauthorized use of a computer
system.
• Many prosecutions take place under provisions of the Computer Fraud and
Abuse Act (CFAA).
• Data breaches can also happen by accident or error.
Page 6
7. What is a data breach?
Data Breach:
• Is the concept of a breach too narrow to describe many
types of events?
• Do we need different words and concepts?
-A single event at a single point in time?
-What about an attack that exfiltrates data over a long
period of time?
Page 7
8. What kinds of data might be exposed?
• Operational Data
• Intellectual Property
• Financial Information
• Personally Identifiable Information (PII)
• Protected Health Information (PHI)
Page 8
9. What kinds of data might be exposed?
Personally Identifiable Information (PII):
• The U.S. government used the term "personally identifiable" in 2007 in a
memorandum from the Executive Office of the President, Office of
Management and Budget (OMB, and that usage now appears in US
standards such as the NIST Guide to Protecting the Confidentiality of
Personally Identifiable Information (SP 800-122). The OMB
memorandum defines PII as follows:
• Information which can be used to distinguish or trace an individual's
identity, such as their name, social security number, biometric records,
etc. alone, or when combined with other personal or identifying
information which is linked or linkable to a specific individual, such as
date and place of birth, mother’s maiden name, etc.
Page 9
10. What data aren’t PII?
• Data that identify a person that are not considered
protected:
• Name
• Address
• Phone number
• Email address – things are changing with regard to e-mail
addresses
• Facebook name
• Twitter handle
Page 10
11. Is it PII or not?
Personally Identifiable Information (PII):
• According to the OMB, it is not always the case that PII is "sensitive",
and context may be taken into account in deciding whether certain PII
is or is not sensitive.
• Geo-location data?
• Was the Epsilon breach a “breach”?
• Have there been other “non-breach” breaches?
• Given the powerful correlations that can be made, are these definitions
too narrow?
Page 11
12. What kinds of data might be exposed?
Protected Health Information (PHI):
Protected health information (PHI), under the US Health
Insurance Portability and Accountability Act (HIPAA), is
any information about health status, provision of health
care, or payment for health care that can be linked to a
specific individual. This is interpreted rather broadly and
includes any part of a patient’s medical record or payment
history.
Page 12
14. What costs are we going to discuss?
• Direct and Indirect Costs?
• Primary and Secondary Costs?
• Costs that we should be able to discover and/or
estimate.
• Costs that might be difficult to discover and/or
estimate.
Page 14
15. What costs are we going to discuss?
Costs that we should be able to discover and/or
estimate:
• Lost productivity
• Incident response and forensics costs
• Costs of replacing lost or damaged hardware, software, or information
• Public relations costs
• Legal costs
• Costs of sending letters to notify customers and business partners
• Costs of providing credit monitoring
• Fines from governmental action (HIPAA/HITECH, FTC, State
Attorneys General, etc.)
Page 15
16. What costs are we going to discuss?
Costs that we should be able to discover and/or
estimate:
• Fines and indemnifications imposed by contracts with business
partners
• Contractual fines and penalties resulting from PCI DSS related
incidents - either data loss or compliance failure
• Judgments and legal settlements - customers, business partners,
shareholders
• Additional compliance and audit costs related to legal settlements (20
years of additional reporting, for example)
Page 16
17. What costs are we going to discuss?
Costs that might be difficult to discover and/or
estimate:
• Loss of competitive advantage
• Loss of shareholder value
• Reputation loss
• Opportunity and Sales losses from customers and
business partners who went elsewhere
• Value of intellectual property
Page 17
18. Whose costs are we going to discuss?
• Breached entity?
• Shareholders?
• Citizens / the public at large?
• Card brands?
• Issuing banks?
• Customers?
• Business partners?
• Consumers?
• Taxpayers (law enforcement costs)?
Page 18
19. How do we measure and estimate costs?
• Fixed / Overall Costs
Per record costs
• Direct/Primary
• Indirect/Secondary
• Variable costs that scale with magnitude of breach
Page 19
20. Sources of Data
How do we know about data breaches?
• Victim notifications
• News media
• Securities and Exchange Commission (SEC) filings
• Department of Justice (DOJ) indictments
• HIPAA/HITECH Office of Civil Rights (OCR) actions
• FTC actions
• Press releases
Disclosure laws
• HIPAA/HITECH
• State breach laws
• New SEC Guidance re “material” impact
Page 20
21. Sources of Data
Research projects:
• Datalossdb.org (www.datalossdb.org)
• Identity Theft Resource Center (www.idtheftcenter.org)
• Office of Inadequate Security (www.databreaches.net)
Published reports:
• Cisco
• Mandiant
• Ponemon Institute
• Sophos
• Symantec
• Verizon Business DBIR
• X-Force (IBM)
Page 21
22. Sources of Data
Non-public sources:
• Forensics Investigators
• Card Brands
• Payment Processors
• Subscription services
• Data sharing consortia – Information Sharing and Analysis
Centers (ISAC’s)
• Government Intelligence agencies
• Word of mouth and anecdotal evidence
Page 22
23. Some Estimates of Cost
Ponemon Institute 2011 Cost of Data Breach Study:
United States
• 49 Companies surveyed – multiple people per company.
• Breach sizes ranged from 5K – 100K exposed records.
• Participants estimated the minimum and maximum
amounts for a number of costs, from which the mid-point
value was selected.
• According to some legal experts, Ponemon Institute
numbers are the “gold” standard in the Federal Courts.
• The raw data are published in the report appendix.
Page 23
25. Some Estimates of Cost: Ponemon Institute
In the 2011 report:
• Overall weighted average per record = $194 (down from
$214 in 2010)
• Overall average total = $5.5 M (down from $7.2M in 2011)
Page 25
28. Some Estimates of Cost: Larger Breaches
DSW Shoes (2005):
• 1.4 million records / $6.5M – $9.5M (press releases)
• Cost per record = $4.64 – $6.79
Page 28
29. Some Estimates of Cost: Larger Breaches
TJX (Dec, 2007):
• 90 million records / $171M – $191M (SEC filings)
• Accelerated CapEx = $250M (rumored)
• Cost per record = $1.90 – $2.12
Page 29
30. Some Estimates of Cost: Larger Breaches
Heartland Payment Systems (Dec, 2009):
• 130 million records / $114 -$117M, after $31.2M recovery
from insurance (SEC filings)
• Cost per record = ~$0.90
Page 30
31. Some Estimates of Cost: Larger Breaches
Sony (Mar, 2011):
• 100 million records / $171M (Sony press release)
• Cost per record = $1.71
Page 31
32. Some Estimates of Cost: Larger Breaches
Global Payments (June, 2011):
• 1.5 - 7 million records / $84.4M in 2012, $55 - $65M in
2013 (SEC filings)
• Up to $30M recovered through insurance (SEC filings)
• Total cost estimated to be $110M - $120M
• Cost per record = $15.71 - $80
Page 32
33. Some Estimates of Cost: Larger Breaches
South Carolina Department of Revenue (October,
2012), as of 11/08/2012:
• 3.8M individual tax returns exposed – up from 3.6M
• 657,000 business returns exposed
• Two pronged attack – phish and malware
• Data were not encrypted – Governor of SC stated it was
best practice not to encrypt
• Outside forensics and legal have been retained
• Total cost estimated to be $12M - $18M
• Cost per record = $3 - 5
Page 33
34. Some Estimates of Cost: Correlations
• Measured on a per record basis, the cost per
record declines as the size of the breach increases
• Measured on a total cost basis, the total cost
increases as the number of exposed records
increases
• Both of these correlations are weak
Page 34
47. Are There Patterns in the Data?
Log10 Frequency of Exposed Records
Page 47
48. Are the Patterns in the Data? Beta4 Distribution with
Uncertainty
Page 48
49. Are there Patterns in the Data? Beta4 Quantile-
Quantile (Q-Q) Plot
Page 49
50. Are there Patterns in the Data? Levy Distribution – a
very poor fit
Page 50
51. Are There Patterns in the Data? Future Research
Model breach cost by size of breach, using a
scale that is logarithmic (mostly):
• <5K records
• 5K – 100K records
• 100K – 1M records
• 1M – 10M records
• 10M – 100M records
• >100M records
Page 51
52. Wrap-up
• We have covered many topics today. To
summarize:
• Breaches can involve many types of data:
• To date, most reported breaches deal with PII, PHI, and
credit card data.
• For many of these breaches, the number of records
exposed is not reported, often because the number is
unknown.
• Intellectual property breaches are seldom reported,
possibly because they are so difficult to detect.
Page 52
53. Wrap-up
• Breaches involve many types of costs:
• In the largest credit card breaches, the majority of costs
are due to settlements with the card brands.
• A PHI breach may result in fines that seem
disproportionate to the number of records exposed.
• Per-record metrics are appropriate for some types of
breaches (PII, PHI, CCard), but not others (IP).
• Brand damage and loss of stock value are difficult to
measure, and, in some cases, do not appear to exist.
Page 53
54. Wrap-up
• The costs of a data breach can range from nothing to over
$170 million.
• Breaches that are never detected cost nothing – nothing
that can be measured, at least.
• Per the numbers from the 2011 Ponemon Institute Cost of
Breach study, there is a wide variation in total breach cost:
from $500K to over $20 million.
• For breaches that expose more than 1 million records, the
reported costs per record vary greatly, ranging from as
little as $0.90 (HPS) per record to as much as $80 per
record (GP).
Page 54
55. Wrap-up
• There may be patterns in the data that can help us predict
the cost of a breach, should it happen to us:
• The numbers of records exposed in reported breaches
appear to follow a lognormal distribution.
• Although the correlations are not strong, total costs
increase and per-record costs decrease as the number of
exposed records increases.
• As breach size increases, some costs appear to scale
more than others: forensics = less, notifications = more,
credit monitoring = more, fines & judgments = more,
customer loss = unknown
Page 55
57. “Co3 Systems makes the process of
planning for a nightmare scenario as
painless as possible, making it an Editors’
Choice.”
PC MAGAZINE, EDITOR’S CHOICE
One Alewife Center, Suite 450
“Co3…defines what software packages
Cambridge, MA 02140 for privacy look like.”
PHONE 617.206.3900
GARTNER
WWW.CO3SYS.COM
“Platform is comprehensive, user
friendly, and very well designed.”
PONEMON INSTITUTE
Patrick Florer
Co-Founder & CTO
Risk Centric Security, Inc.
214-828-1172
patrick@riskcentricsecurity.com
www.riskcentricsecurity.com
59. What kinds of data might be exposed?
Operational Data:
• Unpublished phone numbers
• Private email addresses
• HR data about employees
• Passwords and login credentials
• Certificates
• Encryption keys
• Tokenization data
• Network and infrastructure data
Page 59
60. What kinds of data might be exposed?
Intellectual Property:
• Company confidential information
• Financial information
• Merger, acquisition, divestiture, marketing, and other plans
• Product designs, plans, formulas, recipes
Page 60
61. What kinds of data might be exposed?
Financial information:
• Credit / debit card data
• Bank account and transit routing data
• Financial trading account data
• ACH credentials and data
Page 61
62. What is PII in the European Union?
Personally Identifiable Information (PII):
• A term similar to PII, "personal data" is defined in EU directive 95/46/EC, for the
purposes of the directive:[4]
Article 2a: 'personal data' shall mean any information relating to an identified
or identifiable natural person ('data subject'); an identifiable person is one who
can be identified, directly or indirectly, in particular by reference to an
identification number or to one or more factors specific to his physical,
physiological, mental, economic, cultural or social identity;
from wikipedia.com
Page 62
63. What is Protected Health Information (PHI)?
• PHI that is linked based on the following list of 18 identifiers
must be treated with special care according to HIPAA:
• Names
• All geographical subdivisions smaller than a State, including street address,
city, county, precinct, zip code, and their equivalent geocodes, except for the
initial three digits of a zip code, if according to the current publicly available
data from the Bureau of the Census: (1) The geographic unit formed by
combining all zip codes with the same three initial digits contains more than
20,000 people; and (2) The initial three digits of a zip code for all such
geographic units containing 20,000 or fewer people is changed to 000
• Dates (other than year) for dates directly related to an individual, including
birth date, admission date, discharge date, date of death; and all ages over 89
and all elements of dates (including year) indicative of such age, except that
such ages and elements may be aggregated into a single category of age 90
or older
• Phone numbers
Page 63
64. What is Protected Health Information (PHI)?
Protected Health Information (PHI):
• Fax numbers
• Electronic mail addresses
• Social Security numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plate numbers;
• Device identifiers and serial numbers;
• Web Uniform Resource Locators (URLs)
• Internet Protocol (IP) address numbers
• Biometric identifiers, including finger, retinal and voice prints
• Full face photographic images and any comparable images
• Any other unique identifying number, characteristic, or code (note this does not
mean the unique code assigned by the investigator to code the data)
Page 64
65. How do we estimate costs – Intellectual Property
How to value?
• Fair Market Value
• Cost to Create
• Historical Value
Methodologies:
• Cost Approach: Reproduction or Replacement
• Market Approach
• Income Approach
• Relief from Royalty Approach
• Technology Factor
Page 65