Submitted via IRC for chromas
The true cost of a data breach
From the implementation of the General Data Protection Regulation (GDPR) back in May, which fundamentally changed the rulebook for storing data of EU citizens at least to the Butlin’s hack, 2018 has been a very significant year for cybersecurity.
One of the biggest changes centred around transparency, specifically businesses being forced to reveal within 72 hours if they have suffered a breach. While the US has had this type of policy for a while, businesses in the EU were not required to publicly state when a breach occurred, leaving them free to keep significant news like this from their customers. But now that things have changed, and it’s starting to heat up in the EU.
The first thing anyone thinks of when considering the cost of something is how can it be calculated in monetary value. Up until now, it’s been difficult to pinpoint the exact cost of a data breach, given many companies are not too willing to unveil the money they’ve spent cleaning up the mess left behind after being hit, or the drop in sales figures. There are some indications though that can help give a guidance. Studies such as the annual Ponemon Institute’s Cost of a Data Breach report aims to paint a clearer picture – indicating the average cost is currently $3.62 million globally ($141 for each piece of data) and as much as $7.35 million in the US.
[...] As well as business suffering from a clear financial hit, the transparency aspect of GDPR has increased the potential for companies to suffer reputationally as well. As consumers become more aware of the increasing number of breaches out there, they are starting to understand they have the power in the relationship, particularly with GDPR enabling points like the ‘right to be forgotten’.
Companies need to realise that if they get breached, consumers will simply go to another brand they consider to be more secure. Take the case of TalkTalk as a great example. Following its well-publicised data breach, the company lost around 100,000 customers, who simply deemed that they could not trust the business to keep their details safe. In this case the CEO also had to step down, a growing consequence that is beginning to develop with senior management usually in the firing line when a breach occurs.
[...] So, with regulation making things more transparent and media headlines making consumers more aware, how can businesses avoid being the next Equifax or TalkTalk?
The simple answer is there needs to be a change of mindset when it comes to security in the business world. Businesses can no longer adopt a ‘it won’t happen to us’ approach or ‘my perimeter can’t be breached’ mentality. The focus must be on securing the most sensitive data a business has at its core. Too many companies attempt to secure the outside and leave the data exposed, meaning if a hacker was to break in, they can almost help themselves. Encrypting data at rest and in motion, securely managing the encryption keys and storing them securely, while also managing and controlling user access, are vital steps for businesses to take to protect themselves.
Related Stories
Equifax to Pay at Least $650 Million in Largest Data-Breach Settlement Ever
The credit bureau Equifax will pay at least $650 million and potentially significantly more to end an array of state, federal and consumer claims over a data breach two years ago that exposed the sensitive information of more than 148 million people. The breach was one of the most potentially damaging in an ever-growing list of digital thefts.
The settlement, which was announced on Monday and still needs court approval, would be the largest ever paid by a company over a data breach. The deal requires Equifax to put a minimum of $380.5 million into a restitution fund for American consumers who file claims showing that they were financially harmed.
A portion of that money will pay for lawyers' fees, but at least $300 million must go to victims, according to settlement documents filed in federal court in Atlanta. If the initial cash is depleted, the company will add up to $125 million more to settle consumers' claims, bringing the total fund size to more than $500 million.
Also at: Ars Technica.
Previously:
Lawsuits Aim Billions in Fines at Equifax and Ad-Targeting Companies
The True Cost of a Data Breach
Equifax Admits 2.5 Million More Americans Were Affected by Cyber Theft
Equifax Data Breach Could Affect 143 Million Americans [Updated]
(Score: 2) by BsAtHome on Sunday November 04 2018, @04:02PM (5 children)
Data breaches should be proportional and progressive to become so expensive as to become cumulative catastrophic for the firm.
The first criterion should reflect the extend and impact of the breach. The second criterion should be "have they learned their lesson?". Each subsequent breach should be progressively more expensive and the firm should simply go bankrupt if they do not learn their lesson.
For example: Lost your data three times? Well, that is fine, please go to the line "corporate liquidation". That would send a strong message.
(Score: 4, Interesting) by RandomFactor on Sunday November 04 2018, @04:44PM (4 children)
If one cio slacks you destroy the livelihood of tens of thousands. Holding sr officers directly accountable is both more effective and more humane.
В «Правде» нет известий, в «Известиях» нет правды
(Score: 0) by Anonymous Coward on Sunday November 04 2018, @07:42PM (1 child)
So maybe increase the jail term for the C suite vermins exponentially then. Same idea, different variable.
(Score: 1, Interesting) by Anonymous Coward on Sunday November 04 2018, @11:36PM
Just to add that the CXOs should do their time in a maximum or, at the very least, a medium security prison; no more "Club Fed" for these jokers. Also, all proceeds from book and/or movie deals should go into a victim relief fund; no more profiting off their notoriety.
(Score: 0) by Anonymous Coward on Sunday November 04 2018, @11:50PM
Use their misuse of trust as justification of exceptions to all the copyright and patent hoopla they all lobbied for.
(Score: 2) by PiMuNu on Monday November 05 2018, @03:40PM
> If one cio slacks you destroy the livelihood of tens of thousands.
No, the company declares bankruptcy, assets turn over to the EU and then rebrands and gets sold off. SNAFU.