Recent data breaches have left some large organizations reeling as they deal with the aftermath. They include the Target data breach, compromises at Home Depot, JP Morgan, USPS (which exposed employee Social Security Numbers and other data) and, most recently, Sony Pictures. The Sony hack also proved to be embarrassing to some of the company’s executives, as private email correspondences were exposed.
Collateral damage from data breach is significant: one in nine customers affected by a data breach stopped shopping at a particular retailer. According to LifeLock, a recent survey of corporate executive decision-makers found that while concern for a breach is 4 or 5 on a 5-point scale, only 10% to 20% of their total cyber security budgets go to breach remediation. Establishing an incident response plan in advance can reduce the cost per compromised record by $17.
While strengthening cybersecurity is important, the impact on breached organizations shows that preparing a response must be part of the breach-management equation. These breaches present an opportunity for business leaders and risk professionals to learn important lessons about how to protect their companies, customers and employees if a breach should occur.
Below are steps companies can take to establish a response plan, as well as information on the data breach landscape.
If you’ve watched any television in the past few years, you have probably seen commercials for LifeLock, an identity theft protection service that is notable for prominently displaying CEO Todd Davis’ social security number on billboards and promotional material in an effort to demonstrate the effectiveness of his company’s system. Maybe it’s because I work for a risk management magazine and have heard countless horror stories about data theft, but LifeLock’s ad strategy always seemed like a pretty bold move that bordered on lunacy. It turns out my skepticism was justified. According to an article in the Phoenix New Times (by way of Wired), Todd Davis has had his identity stolen at least 13 times.
And it’s not only Davis who has been affected by LifeLock’s campaign. Many companies have been put on the hook for sometimes substantial charges that will likely go unpaid. Identity thieved have opened AT&T cell phone accounts leaving behind more than $2,000 in unpaid charges and obtained a $500 loan from a check-cashing company. And that was just the beginning.
More cell-phone service was fraudulently charged to Davis: Someone opened a Verizon account in New York, leaving behind unpaid bills of at least $186. An account at Centerpoint Energy, a Texas utility, was opened. At least $122 went unpaid. Fake Davises owe $573 to Credit One Bank and $312 to Swiss Colony, a gift-basket company. Two other accounts, one for USA Savings Bank and a Gap credit card, were opened successfully in Davis’ name but showed zero balances as of early 2009. There were also multiple dings by collection agencies: Bay Area Credit, $265; two for Associated Credit Services, $207 and $213; and two for Enhanced Recovery Corporation, $250 and $381.
The fun doesn’t stop there for LifeLock. In March, the Federal Trade Commission fined the company $12 million for deceptive advertising. Evidently, the FTC thought that the company was running a scam and that its claims were bogus. Looks like they were right.
Incidentally, Todd Davis’ social security number, which used to figure so prominently in LifeLock’s ads (like the one above), can no longer be found on the company’s website. I guess someone finally learned his lesson. Too bad it might be a case of too little, too late.