The Financial Impact of a Data Breach on Businesses
CISOs have become a new target in civil and criminal litigation
Now days we see the data breach or cyberattack happening everywhere. Be it at private company, public or government agencies — breaches happen.
What is actually a data breach..? according to Wikipedia:
A data breach is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen, altered or used by an individual unauthorized to do so. Other terms are unintentional information disclosure, data leak, information leakage and data spill.
Now let’s jump into how data breaches happen. We know it happen but how?
Anyone can be at risk of a data breach — from individuals to an enterprise and governments. More importantly, anyone can put others at risk if they are not protected.
Typically, data breaches happen due to weaknesses in:
Technology: We use the technology to work and live. New technologies are created faster than we can learn how to protect them.
User behavior: Not paying attention, not following the rules, negligence, ignorance etc.
In general, assumption is that a data breach is caused by an outside hacker, but that’s not always true. It can occur simply a result of an individual’s negligence or flow in the technology itself. Some examples of causes include:
Lost or Stolen Device: An insecure and unlocked laptop or external hard drive that contains sensitive information goes missing.
Accidental Insider: An employee or individual using a co-worker’s laptop and reading files without having the proper authorization permissions. The access is unintentional, and no information is shared. However, because it was viewed by an unauthorized person, the data is considered breached.
Malicious Insider: An individual purposely accesses and/or shares data with the intent of causing harm to an individual or organization. The malicious insider may have legitimate authorization to use the data, but the intent is to use the information in nefarious ways.
Malicious External Cyber Criminal: These are bad guys or hackers who uses various kind of means and ways such as phishing, brute force attacks or malware to steal the data from an enterprise or individuals or government entities.
Let’s talks about some of the statistics and how big or small are the recent breaches.
The last years’ Biggest Breaches, year 2022:
Recent research published by Forrester reported that 74 per cent of decision makers with network, data, applications, and security responsibilities experienced at least one data breach at the firm in past 12 months, and 36 per cent experienced three or more breaches.
· The most common type of data stolen were personally identifiable information (PII) data and credentials data, revealing that attackers pilfered over 1.2 billion customers or citizen records.
· The single largest breach exposed 1 billion records in 2022 at the Shanghai National Police.
· The tree industries public sector and healthcare, media entertainment and leisure, and financial services and insurance accounted over 75 per cent of the top 35 breaches.
The Financial Impact of a Breach on Businesses
Regulatory agencies across the globe acts in response to incidents of a confirmed data breach. A data breach can have a devastating effect on an organization’s reputations and financial bottom and topline. Organizations such as Equifax, Target, have been the victims of a data breach in the past. For government organizations, compromised citizen data can mean exposing highly confidential information to foreign parties, pollical dealings and details on essential national infrastructure can pose a major threat to a government and its citizens.
· A fine of over $2.7 billion for top 35 privacy violations alone charged in 2022.
· The most of top 35 fines 79 per cent were for failures in disclosing the collection, sharing, or selling of customer data.
· Google paid $392 million to 40 US states for its deceptive collection of location data and history.
· China imposed its highest ever data privacy violation penalty of US$1.2 billion against ride-hailing firm Didi Global.
· For the top 35 violations, firms paid $833 million in penalties to data protection commission across multiple EU member states part of EU’s GDPR enforcement regulation.
· The retailer Sephora was fine $1.2 million penalty settlement for failing to disclose it sells customer’s personal data by California CCPA violation.
· Costa Rica declared a state of emergency last year after a ransomware gang crippled services and demanded $10 million to restore operations — the government refused to pay and worked to restore services itself.
What Can we Learn from these Massive Breaches and Plan Ahead:
Data breach prevention needs to include everyone at all levels from customer to organization’s employees and in between. When trying to plan how to prevent data breach attacks or leaks, security is only as strong as the weakest link. Every personal that interacts with a system can be a potential vulnerability. Even small children with a tablet at home network can be a risk.
Use these data points and stats to initiate, develop and support data security strategies, justify to your executive teams and stakeholders involved to manage the risk and protect the business from falling to the next victims.
Prepare for Data Breach
Even if you can restore the business operations after a ransomware attack, prepare an incident and crisis response playbook and test it thoroughly on regular basis to keep it up to date with changing environment and economic situations. Test your communication plan to notify affected parties and regulatory bodies as quickly as possible of a successful data breach. A crisis management exercise should include media and customer elements and extended to board to ensure all levels understand their roles and responsibilities — and the gravity of the situation.
Lawyer Up CISOs to Mitigate the liability Risk.
Bloomberg publish an article “Mitigating the risks in Era of Heightened liability for CISOs” and highlighted how chief information security officers (CISOs) have become targets in civil and criminal cases involving data breaches.
Chief information security officers (CISOs) lead the security programs filled with technical, regulatory, geopolitical, and legal complexity. If CISOs find it difficult to deal with the board, imagine them having to testify in front of a jury. CISOs have recently been the target of several lawsuits and government actions arising out of security breach incidents, including shareholder class actions, shareholder derivative suits, and even a criminal case. With increasing focus on data security and privacy as an enterprise-wide risk, the trend is likely to continue.
Shareholder typically allege that the organization and its officers made false and/or misleading statements about the organization’s cybersecurity practices or failed to timely disclose a security incident. Then when the alleged “fraud” was revealed — i.e., a cyber incident was disclosed.
In the case of SolarWinds breach, many of its officers were sued, in the wake of revelations that the company suffered a significant security incident — SolarWinds agreed to pay $26 million to settle the case for lack of cybersecurity controls, including weak password requirements, lack of multifactor authentication, and lack of a dedicated security team.
Although CISOs have become a new target in civil and criminal litigation, organizations and their counsel can take proactive steps to protect against future CISO liability caused by a successful data breach.
