TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

""

""

""

With the eBay and Target breaches still fresh in our minds, it’s a good time to consider how we digest such data security incidents, because, while “breach” does describe what happened in both cases, the term falls far short of capturing the full measure of each event and what it means to both the organizations and the individuals involved. Language matters in these situations, especially if the information security and data privacy communities are interested in changing the behavior of those tasked with safeguarding networks, information or their own identities.

More than six months since Brian Krebs broke the news that its payment systems had been compromised—and with the fallout continuing—it’s safe to say that Target’s data breach has been vastly more damaging to its affected parties than the more recent breach affecting eBay. Yet despite the differences in the kinds of data accessed and exfiltrated from both organizations, the discussions surrounding both were treated with similar gravitas. The primary focus in both cases was on raw numbers: 70 million customers at Target and 140 million at eBay.

That both breaches generated a similar volume of alarmist reactions tells us that something is fundamentally broken in the public’s understanding of the value of personal data, or more to the point, the risks inherent when data falls into the wrong hands. If truth is in the eye of the beholder—whether they are the media, consumers or investors—we should accept that it’s possible for the beholder to have poor eyesight. It’s up to us to help correct that faulty vision. Enterprises already accomplish this by identifying, categorizing and valuing data more precisely and better understanding the implications of a data breach through an enterprise risk management framework.

Risk management is already a cross-functional business process designed to assess risk tolerance and quantify an organization’s acceptable loss. A company’s risk appetite must be contextual and honest, including acceptance of the inevitability of a data loss event. It must also consider that its response to a data breach influences and informs public response.

Following a data breach, the modus operandi for a company’s public announcement—or admission, should the disclosure come from a third party— usually goes like this:

  • “A certain number of our customers have been affected by a breach of our network.”
  • “We alerted authorities immediately upon becoming aware of the unauthorized access, are cooperating with their investigation and are putting all appropriate resources behind our own efforts to understand what happened."
  • “Our first priority is preserving the trust of our customers. We have moved swiftly to address this issue and secure our systems. Please continue to use our service with full confidence that your privacy is protected.”

What’s missing from the above is an acknowledgement that a data breach notification makes a risk manager of each of the affected customers. As such, public outreach should provide information to help them to assess and respond appropriately based on their individual appetite for risk.

Treating all data security incidents as a “breach” in the generic fuels the misconception that all breaches are created equal, perpetuates the tendency for media coverage to focus on misleading elements of a data breach and may result in poorly informed remediation response either because a breach has been overhyped or because the public has simply grown weary of hyperbolic coverage—described here recently as “data breach fatigue.”

That both breaches generated a similar volume of alarmist reactions tells us that something is fundamentally broken in the public’s understanding of the value of personal data, or more to the point, the risks inherent when data falls into the wrong hands. If truth is in the eye of the beholder—whether they are the media, consumers or investors—we should accept that it’s possible for the beholder to have poor eyesight. It’s up to us to help correct that faulty vision.

 

The average layperson sees the word “breach” and, thinking they’ve been hacked—along with all the negative connotations— struggles to determine what to do next. This puts them in the precarious position of having to immediately make a haphazard impact and remediation assessment, something that takes enterprise risk managers months to accomplish.

In eBay’s case, remediation involved simply changing a password, whereas the Target breach remediation was a complicated, confusing and expensive process of filing claims, replacing credit cards and monitoring credit activity. While the differences may have been evident for those of us “in the biz,” it was not communicated to the mainstream media who covered the events and thus was not well understood by the public.

Addressing this deficiency starts with making a comprehensive evaluation of all data types for which your organization is responsible and evaluating each category based on the likely risk to the organization and to any other affected parties, then establishing contingencies for responding to each in such a way as to convey information to the public that informs appropriate action. This includes both an acknowledgement that no amount of information security can absolutely prevent a data breach and a willingness to engage the public and industry in an open dialogue about the ramifications of a data breach and your organization’s assessment and appetite for risk.

If there’s one lesson learned from all well-publicized data breaches, it’s that there must be an ongoing and transparent process if industry is to engender trust with the public. As a final thought, here are some ways companies can collaborate both internally and with the public to reduce the impact of misperceived risk:

  • Ensure your marketing communications team is represented and active in your risk management committee.
  • Communicate, in detail, your internal breach impact assessment—What is the impact to us? What is the impact to you?—rather than just “here is a list of information that was lost.”
  • Advise on immediate actionable mitigation or remediation: What we are doing; what you can do.
  • Embrace the fact that no amount of information security can absolutely prevent a breach, and engage with the public to discuss the ramifications of thereof before a breach happens, not after.
  • Share your risk assessment and risk appetite philosophy and algorithms with your industry and the public; the further you get from obscurity and propriety, the better of your company will be in the long run.
Comments

If you want to comment on this post, you need to login.