The year 2015 may go down in history as the year of the hacker. Though not a new phenomenon, high profile hack-related stories have managed to capture headlines almost every month of 2015. On the eve of the New Year, the world was abuzz with news that hackers had committed an unprecedented attack on Sony Corporation that culminated in the publication of thousands of sensitive e-mails. Shortly thereafter, hackers compromised the personal information of nearly 100 million Anthem customers and employees. The United States government also came under attack when hackers managed to steal information from both the IRS and the Office of Personnel Management. And, most notoriously, the dating website Ashley Madison suffered a data breach that resulted in the disclosure of roughly 30 gigabytes of data containing sensitive information about its customers and business operations. These stories represent only the tip of the iceberg, and more than three months still remain in the year.
In light of the broad spectrum of industries affected by these attacks, no company should feel immune from cybersecurity threats. But recognizing the threat is easy. Formulating a response is more complicated.
As with any other initiative, a business’s information security program must be cost-effective. A cost-effective program, however, does not necessarily result in an effective program.
At least two factors appear to constrain cybersecurity initiatives. First, businesses and the hackers interested in attacking them share an asymmetric relationship that sharply favors the hackers. As one report from the Wall Street Journal explained, “It is a lot cheaper to hack than defend a hack.” Businesses are relatively large, sitting targets with numerous exploitable vulnerabilities. And hackers are elusive enemies that can explore and exploit those vulnerabilities before a business even knows they exist. Hackers therefore possess a strategic advantage. The WSJ article describes the limitations companies face under these circumstances: “For $1 million, [a hacker] could assemble a team that could hack into nearly any target. But $1 million wouldn’t be nearly enough for a company to defend itself.” The takeaway—100% impenetrable security is impossible, and blind pursuit of it would be cost prohibitive.
Second, the recent experiences of companies affected by data breaches do not suggest that the cost of such a breach necessarily warrants massive additional investment in data protection. As CBS’s Moneywatch reports, the point-of-sale breach that hit one major big-box retailer in 2014 cost the company $105 million after insurance coverage and tax deductions. This retailer’s total revenue in 2014 was $72.61 billion. Thus, the direct losses from the data breach equaled roughly 0.1 percent of its revenue. The article also suggests that it took Sony a little less than six months to repair its reputation following the 2014 hack. Even Ashley Madison, a company almost entirely dependent upon privacy and discretion, recently announced that its business has continued to grow in spite of the massive and embarrassing breach that occurred just over two months ago.
And there’s one more thing to consider – although many high profile data breach lawsuits have ended in settlements, in which the defendants have obviously chosen just to try to stop the madness rather than continue to litigate on multiple fronts, to date there has not been a single adjudicated case finding a company liable to consumers for a data breach – not one single verdict – despite 10 years of litigation. In fact, as we have previously pointed out, despite all the consumer class action lawsuits that have been filed, not one such has resulted in a class that has been certified. These cases are marked by intense motion practice at the early stages and, in more rare circumstances, interlocutory appeals. But, thus far, none of them have resulted in big dollars awarded by a jury.
These observations require businesses to conduct a balancing act that raises the question: how much data security is enough? Insufficient security may expose the company to reputational risk and possibly liability in the event of an attack. But too much investment in security will almost certainly result in waste, as no data security system can ever promise complete protection.
There is no one-size-fits-all answer. Every business should resolve the issue based on an assessment of its own unique circumstances and risk, including a reliable and thorough methodology for assessing its current data security. What kind of data is the organization collecting? What’s the potential exposure if it’s the “test case” for the next theory of liability? What type of insurance coverage is available, and how much does it cost? What’s the reputational risk? What’s available to spend on data security from a budget perspective? How quickly can upgrades to security be implemented? Companies that rely heavily on privacy will obviously invest more in data security than those that don’t. A large public company may opt for a more economical approach that appeases shareholders than a smaller entity that is less equipped to withstand a major blow to its reputation. Certainly, every company, regardless of size, should shift as much risk to insurance as possible and prepare in advance to respond to the inevitable data breach so that it can mitigate and live through the consequences of an incident when (not if) it occurs.
At least for now, the decision may have as much to do with optics as it does reality. Because, in reality, every company is susceptible to an attack, and determined, persistent hackers are very hard to stop indefinitely. There is a cost-benefit analysis that must be done when it comes to data security and managing risk. It’s a fact of life, and it’s no different from the cost-benefit analysis that companies – large and small, public and private – engage in everyday, in every other aspect of business.