BreachExchange mailing list archives
How not to handle a data breach
From: Jake Kouns <jkouns () opensecurityfoundation org>
Date: Thu, 10 Mar 2011 02:09:09 -0500
http://www.infoworld.com/t/security/how-not-handle-data-breach-992 Press the panic button as soon as you find evidence customer data has been compromised, and you'll pay the price Once a data breach is discovered, the best response is to spring into action and notify customers as fast as humanly possible, right? Well, not really. A brand-new Ponemon Institute study [PDF] sponsored by Symantec finds that data breach victims often move too quickly, wasting lots of money and losing customers unnecessarily. According to Ponemon's "Annual Study: U.S. Costs of a Data Breach," companies that respond to data breaches by immediately notifying their users end up spending 54 percent more per record than companies that move more slowly. Forty-three percent of surveyed companies notified customers within one month of discovering the breach, but these companies ended up with per record costs of $268, up 22 percent from 2009. Companies that took longer than a month spent only $174 per record, down 11 percent from 2009. What's the explanation? It turns out that many companies tend to panic when they find a data breach, thanks to fears about lawsuits, regulatory fines, and bad publicity, and thus are not as prepared with the forensic tools and strategies as they should be. Their gut reaction is to get notification over with as fast as possible, so they end up notifying an excess of customers, including many of those who are unaffected by the breach. As a result, they end up shooting themselves in the foot. The biggest cost of data breaches is customer churn, according to the study, and many of these companies end up losing lots of customers that they didn't need to notify. According to Ponemon, companies that take a more surgical approach and spend the time on forensics to detect which customers are actually at risk and require notification ultimately spend less on data breaches. The study reported other findings on the state of network security: Malicious or criminal attacks are the most expensive and are on the rise. In this year's study, 31 percent of all cases involved a malicious or criminal act, up seven points from 2009, and averaged $318 per record, up 43 percent from 2009. In addition: The cost of breaches by third-party outsourcers rose significantly, up $85 (39 percent) to $302 per record. These figures may indicate that compliance with government and commercial regulations for data protection are dramatically raising breach costs involving outsourced data. The moral, as always, is be prepared. Have a strategy and tools in place to do the proper forensics, know your exact compliance requirements, and move quickly but cautiously to notify only those customers that are affected directly. In other words: Don't panic! _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Learn encryption strategies that manage risk and shore up compliance. Download Article 1 of CREDANT Technologies' The Essentials Series: Endpoint Data Encryption That Actually Works http://credant.com/campaigns/realtime2/gap-LP1/
Current thread:
- How not to handle a data breach Jake Kouns (Mar 10)