A new class of companies are angling to be at the top of a list of breach responses that grows longer by the day. And little wonder: According to a study by the Michigan-based Ponemon Institute, sponsored by IBM, the average cost of a data breach is $3.8 million – a 23 percent increase over the previous two years. The cost of each piece of confidential information exposed rose from $145 to $154 over the same period. Then there's the harder-to-quantify cost of damage to a company's brand or the reputation of its leadership – as the C-suite survivors of the Target and Sony breaches can attest.
The rising costs following a data breach reflects the multi-faceted spending required to recover from such events. At one end of the spectrum, high-powered, forensic-focused outfits that work the case and finger the culprits, be they domestic hacktivists or international cyber-gangsters to operatives for a nation-state. Then there's a growing array of far smaller companies promising to swoop in to save previously unsuspecting mid-sized companies – for example, a hospital hit by ransomware or a local retail outlet with compromised POS devices. Those trying to limit their budgets will encounter what analysts call the ambulance-chaser segment of the post-breach repair market, with results that may be spotty at best.
Lillian Ablon, information systems analyst, RAND
Robert Liscouski, CEO, Convergent Risk Group
Andrew Plato, CEO, Anitian
Melissa Ventrone, partner, Thompson Coburn
But spending top dollar on post-breach specialists isn't necessarily the most effective way to counter a breach, says Andrew Plato, CEO of Anitian, a Portland, Ore.-based security consultant.
“There is focusing on the attribution and mechanism of the attack rather than the systemic set of issues that have happened there,” Plato says. “You see this a lot with the big public players in this space. They attribute the breach to some Chinese group and get on the news. That is good for them, but does it give their clients a lot of benefit?”
If breach-hit companies want to avoid a one-stop shop with services they may not need, they can go a la carte, assembling their own team: investigators to figure out what went wrong, remediation specialists to pick up the pieces, attorneys to work with law enforcement to help brace with the inevitable lawsuits, and public relations specialists to sooth customers and deflect the media.
That's where law firms specializing in cybersecurity see an opportunity. By acting as post-breach coordinators, attorneys can help their clients navigate the 47 data breach notification laws upheld by individual states and territories in the U.S. and keep even more internal data from spilling into the open through the legal discovery process. Melissa Ventrone, a partner in the Chicago law firm Thompson Coburn, says she thinks of it as shielding the company through the umbrella of attorney-client privilege.
Behind closed doors, Ventrone and her counterparts at other firms inform clients that the services offered by some breach-response specialists should have already been in place. “Endpoint monitoring, anti-virus and anti-malware, central logging points – all of these things should have been taking place prior to an event,” she says. Buying such services a second time may be irrelevant and a waste of money, Ventrone adds.
When the data breach D-day finally comes, businesses can avail themselves of any of several survival guides by the major IT players, cybersecurity technology companies, large consulting companies, the credit bureaus, industry associations and more. Nearly all focus on key steps: isolate and stop the breach, contact law enforcement, line up legal help to conform with breach notification statutes, conduct a forensic investigation, deploy a public relations team and roll out long-term remediation.
That's solid advice, says Ventrone, but they scare her a little bit, she says, because there are so many nuances to these types of events. “They are not formulaic in nature.”
The message from the breach-response industry is, in short, pay us for full-service breach response before the worst happens – or pay a lot more later. From forensics squads to legal teams to PR specialists, industry players contend that the costs of being underprepared is simply too great in terms of battered brands and alienated customers.
But what happens when data breaches become so commonplace that customers either no longer care or can't muster the time and energy necessary to move their business from one company to another? Is the fallout really so high?
Maybe not, according to a recent study by the Rand Corp., the Santa Monica, Calif.-based noprofit that's a major research contractor for U.S. defense and intelligence services. Published in April 2016, its report, “Consumer Attitudes Toward Data Breach Notifications,” found that 26 percent of respondents – indicative of the experience of some 64 million adults in the U.S. – were personally impacted by a data breach in the 12 months prior to their participation in the survey. Yet of those affected, just 11 percent reported that they had stopped doing business with the company involved.
Some of that loyalty may have been unintended, given the sometimes time-consuming process of, for example, changing a bank and all the corresponding auto-payment setups, or other costs associated with the breach, says Lillian Ablon (left), an information systems analyst at RAND who led the study. Still, she says, some 32 percent said there would have been a zero-dollar cost in making such a switch, suggesting that consumers have concluded that any business they patronize is likely to be vulnerable to such a breach.
One survey finding could be particularly significant to those responsible for handling data breach remediation, whether in-house or as contractors, Ablon says. Forty-four percent of consumers learn about a data breach from someplace other than the company, she says, “because of activity on cards or because they heard about it on the news.”
But that doesn't necessarily mean that a business in post-breach mode should immediately notify those affected in a bid to salvage customer relationships, Ablon says. Immediate notification before the breach is isolated could prompt hackers to change tactics and move elsewhere or pre-empt efforts to attribute the attack. “Figuring out when to disclose is a tricky thing,” Ablon says.
That lag between the discovery of a data breach and its eventual disclosure – and the paucity of information when they do come out – is another market opportunity for companies that specialize in public relations and crisis management. The longer the delay – often to the maximum period allowed by law – the more explaining there is to do in order to mollify customers.
But in some cases, those caught up in a big breach have no choice other than to stick with the enterprise or government entity that was effected. If those among the nearly 80 million people covered by an Anthem health insurance product are upset that their personal data was exposed in a 2015 megabreach, they may find it almost impossible to find equivalent coverage elsewhere.
And the 5.6 million people whose fingerprints were exposed in the federal Office of Personnel Management (OPM) breach literally have nowhere else to go, says Robert Liscouski (left), CEO of Convergent Risk Group, a Leesburg, Va.-based firm that offers cybersecurity assessment and monitoring services. Unless the individual is a CIA agent or another intelligence operative, only OPM can conduct the kind of detailed background check and maintain the records that created the data trove allegedly scooped up by China-backed cyber operatives.
After waiting months to be formally notified that his own personnel file was caught up in the breach, Liscouski received a letter that stated that fact – and nothing more. While OPM may be a special case, the tardy and minimal notification are an indication that post-breach response – and the cyber risk evaluations that shape them – are still in their early days.
“A breach may have exploited something meaningful, but not at core area,” says Liscouski, who is a former Homeland Security official. “You solve a small problem, but the bigger problem has yet to be addressed.”
And while the major corporations and big government agencies are ramping up spending on risk and incident response, medium-sized and smaller companies face resource constraints that force them to try to get by with best practices, he says.
When the data breach finally comes, those companies will have little choice but to bring in the best experts they can afford. Just what post-breach services will be most needed – and which players will dominate – remains to be seen.