The National Academies Press

Currently Skimming:

Remarks of Speakers
Pages 5-36

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.

From page 5... ... He introduced the types and impacts of data breaches and offered perspectives on their remediation. The types of data breaches that are most salient for consumers are unlawful exfil tration of personal data and wrongful dissemination, destruction, or corruption of that data, Reidenberg said. Read the entire page →
From page 6... ... If someone adopts a false identity and receives medi cal care under the assumed name, how can the real and false medical records be identified and corrected to avoid potential safety problems in the context of future medical treatment for the identity theft victim? In Reidenberg's view, there is currently no effective mechanism to deal with remedia tion of such potential downstream consequences of data breaches. Read the entire page →
From page 7... ... Would the utility company help bear the costs? Individuals and small businesses often wind up assuming the costs of data breaches, yet they have the fewest assets to absorb them. Read the entire page →
From page 8... ... Four main areas he sees as particularly ripe for investigation include mapping the harms of data breaches to the breach type and characteristics of affected stakeholders; developing a comprehensive understanding of the full costs of remediation and the benefits of prevention; creating policies or proce dures to standardize the reporting of security breaches; and developing a framework for accountability when implementing countermeasures. COSTS AND CAUSES OF CYBER INCIDENTS Sasha Romanosky, RAND Corporation How much does a data breach cost a business? Read the entire page →
From page 9... ... are borne by the manufac turing, retail, finance, and insurance industries. Drilling deeper into the financial costs to firms from data breaches, Romanosky described two kinds of costs: "first-party costs" and "third-party costs." First-party costs are those a company bears after a data breach, such as the costs to notify consumers, cover remediation, and implement increased security measures as necessary. Read the entire page →
From page 10... ... Analyzing the 12,000 cyber incidents in the database, Romanosky found that despite there being some very large, expensive data breaches -- such as those at Target, Sony, Anthem, and Home Depot -- that drive the mean cost of a breach toward the $5 million range, which has been frequently cited, the typical cost to an entity is less than $200,000. He said that although this may seem surprisingly low, an important additional find ing is that nearly 40 percent of all companies affected have suffered multiple incidents -- a group Romanosky calls "repeat players" -- and these companies suffer higher costs for some types of events. Read the entire page →
From page 11... ... Since the passage of California's initial data breach notice law, the legal framework around data breaches has been continually updated in response to emerging threats and consumer harms. For example, the laws were updated in 2008 and 2009 to include medical and insurance data and harsher penalties after Los Angeles-area hospital staff were caught selling celebrities' medical data. Read the entire page →
From page 12... ... Givens said that the California experience has also shown that requiring public reporting of data breaches can increase transparency of and research access to these events. She noted, as an ex ample, that in California the attorney general has published helpful breach reports and analyses based on the information collected over the years. Read the entire page →
From page 13... ... Those involved in perpetrating fraud are casting a much wider net, including information such as school or medical records, online login credentials, and more. Givens said that according to Javelin's 2015 Fraud Impact Report, "Nearly any piece of information that fraudsters can get their hands on can be used to initiate or strengthen an attack." Another change Givens observed is that it can no longer be assumed that data breaches are always financially motivated. Read the entire page →
From page 14... ... She also suspects that after bigger companies become smarter about data protection, fraudsters will target mid size and smaller places of business, which may not invest heavily in data protection or have time available to train staff in proper handling of sensitive records. Transparency of data breaches could help consumers when deciding which finan cial or medical institutions to trust, Givens said. Read the entire page →
From page 15... ... Facilitating effective, appropriate IT security within this complex environment is challenging, but has also generated "a number of information security success stories," Murphy said, with innovative and effective solutions arising across the university system's diverse schools and centers. Data Breach Aftermath and Recovery 15 Read the entire page →
From page 16... ... The primary goals of SAVE are to prevent privacy breaches; avoid loss of intellectual property, resources, or reputation; and reduce noncompliance. He noted that the program offers strong recommendations, but no mandates, to improve data security, access, awareness, and training for safe data handling. Read the entire page →
From page 17... ... Data Breach Aftermath and Recovery 17 Read the entire page →
From page 18... ... Because breaches have become so frequent and widespread, Adkins said con sumers' apparent reluctance to leave companies that disclose data breaches may also 18 Forum on Cyber Resilience Read the entire page →
From page 19... ... However, she acknowledged that this is not a foolproof fix; despite nearconstant credit monitoring and multiple credit card re-issues, she noted that her personal data is likely still vulnerable to breach and fraud. Another reason to disclose data breaches is to aid in the deterrence of future attacks, Adkins argued. Read the entire page →
From page 20... ... Disclosing known attacks which players have to employees offers valuable fodder for engaging in collabora tive conversations about improving data security. established deep Adkins closed with a few comments about formal groups relationships. Read the entire page →
From page 21... ... Sharing Google's breach data would require removing any personally identifiable information, and so it might be easier, safer, and more useful for Google to share data around an attack: how it started, what techniques were used, and so forth. She further observed that additional complications include the fact that huge attacks, like those at Target and Home Depot, are not characteristic of most data breaches, and also, many breaches simply go unde tected. Read the entire page →
From page 22... ... He noted that other types of lawsuits can be brought after a breach and spoke specifically about shareholder derivative or employee lawsuits. He observed that although data breaches have not proven to cause significant financial losses for their companies in the long run, in the short run, they can be very damaging for stock prices, and thus for their shareholders, who might try to bring suit. Read the entire page →
From page 23... ... Sec ond, he expressed optimism that technology will continue to offer fixes, such as encryp tion, that make data security easier and better, although of course, companies will have to decide to invest in these fixes. And finally, Belair said he believes the culture around Data Breach Aftermath and Recovery 23 Read the entire page →
From page 24... ... Belair described how when issuing poli cies, insurers collect enormous amounts of data on the companies they cover, requiring comprehensive questionnaires and documentation covering all aspects of the company's security measures, company processes, and employee policies. Because of the lack of fed eral policies for security standards, Belair said these insurance companies are essentially creating security policy. Read the entire page →
From page 25... ... Harvey said that companies must also be aware that suspected or potential data breaches are tantalizing stories for the media, prosecutors, regulators, and other stakeholders. Disclosures and their timing can have immediate and lasting effects on stock prices, customers' trust, and other downstream effects. Read the entire page →
From page 26... ... In the Target hack the same year, Target was liable, to the tune of tens of millions of dollars, to the credit card companies whose card numbers were stolen. In fact, Harvey observed that credit card companies have a great deal of power when it comes to data breaches involving credit card infor mation; Harvey categorized the companies as "judge, jury, and executioner" in these situations. Read the entire page →
From page 27... ... Harvey switched gears and asked a question that provoked a wide discussion among attendees: Is there true consumer harm when a credit card number is stolen? If no identity fraud is committed, he posited that a consumer has not suffered a tangible loss. Read the entire page →
From page 28... ... Data breaches are all too common and affect a huge swath of the population, es sentially making normal what should, in Vladeck's view, be considered unacceptable. In 2014 alone, 110 million Americans -- more than one-third of the population -- had their data breached, he noted. Read the entire page →
From page 29... ... Although researchers, as a result, only have access to what Vladeck said is "the tip of the iceberg" in terms of total data breaches, that information can be a useful starting point for greater insights into what works and what does not in terms of data security protections. Vladeck noted that the most common type of data breached, and the majority of the cases the FTC has brought so far, is personally identifiable information. Read the entire page →
From page 30... ... "We need to recognize that the risk of identity theft itself is a real harm, just the way the risk of cancer and the risk of other things that are bad are real harms," Vladeck said. As for tangible financial harm after a breach, Vladeck rebutted the suggestion that current measures to protect consumers against fraudulent credit card charges makes a credit card breach essentially harmless: "It is simply not true that the people whose finan cial information was taken as the result of the big breaches suffered no loss." While they 30 Forum on Cyber Resilience Read the entire page →
From page 31... ... Vladeck concluded by enumerating another harm from today's constant stream of data breaches: a growing mistrust of the Internet economy. Computer hacking was the crime most worrisome to Americans in 2014, and more than 60 percent of Americans are concerned about the security of their credit card information, phones, or computers.1 In a question, Deirdre Mulligan raised the point that remediation is necessary because no matter how solid data protections become, breaches will remain, at least to some degree, inevitable. Read the entire page →
From page 32... ... Returning to an idea explored in several other presentations, Steve Lipner brought up the role insurers play in this sphere. Vladeck suggested that their presence improves data security discipline among companies, for example, by refusing coverage to com panies who do a poor job of data security. Read the entire page →
From page 33... ... Through these cases, the FTC has developed a broad notion of both qualitative and quantitative harm; Burstein reiterated how difficult it is to measure qualitative harm and noted that the FTC proceeds cautiously in addressing it. One reason for this is that the FTC is governed by a legal standard of "unfairness," which, in order to win a case, requires "proof of substantial injury to consumers, costs that don't outweigh the benefits, and something that wasn't reasonably avoidable by consumers." However, the variety of potential consumer harms is increasing as data breaches evolve into new areas. Read the entire page →
From page 34... ... In his view, the FTC can help address this by identifying appropri ate information security practices, or, at the very least, identifying what constitutes an unreasonable vulnerability. Burstein observed that the FTC has learned a great deal about best security practices that can be useful to help companies identify and address weak security measures. Read the entire page →
From page 35... ... He also noted that the FTC does not have authority to issue regulations in the way that is typical of other agencies, and that the breadth of companies the FTC focuses on makes it challenging to create a rule that could be binding and required of companies that are subject to it. Data Breach Aftermath and Recovery 35 Read the entire page →

From page 5...

... He introduced the types and impacts of data breaches and offered perspectives on their remediation. The types of data breaches that are most salient for consumers are unlawful exfil tration of personal data and wrongful dissemination, destruction, or corruption of that data, Reidenberg said.

Remarks of Speakers Pages 5-36

Remarks of Speakers
Pages 5-36