Cybersecurity is an important aspect of electronic discovery and any other activity that involves computers and confidential information, including the general practice of law.
Since attorney-client confidentiality is a key component of all legal representation, cybersecurity is critical to the legal profession. All attorneys need a basic understanding of cybersecurity. This eDiscoverySecurity.com domain is dedicated to that educational goal.
On this main page you will find links to articles written by the e-Discovery Team and other sources that will help legal professionals to better understand cybersecurity, followed by FAQs on Data Breach.
For more in-depth reading, go to our separate page listing Must Read Books on Cybersecurity.
For videos, go to our separate page listing Our Favorite Cybersecurity Videos.
Our research in this area is constant and we will continue to update eDiscoverySecurity.com with new, vetted educational materials of all kinds. Please bookmark and keep coming back for more information as you finish your studies of our current recommendations. You may also want to follow Ralph Losey on Twitter to stay current.
The Importance of Cybersecurity to the Legal Profession and Outsourcing as a Best Practice – Part One and Part Two, (e-Discovery Team, 2014).
Best Practices in e-Discovery for Handling Unreviewed Client Data, (e-Discovery Team, 2014).
Podcast Interview of Ralph Losey in 2014 by Sharon Nelson, President of the Virginia Bar, and John Simek, Forensic Engineer, on law firm cybersecurity outsourcing strategies.
The CIA Cyber Security Triad and 9ec4c12949a4f31474f299058ce2b22a, (e-Discovery Team, 2014).
National Institute of Standards and Technology Creates Cybersecurity Standards Framework, (e-Discovery Team, 2014).
HEARTBLEED: A Lawyer’s Perspective On Cyber Liability and the Biggest Programming Error in History, (e-Discovery Team, 2014).
From Hit and Run to Invade and Stay: How Cyberterrorists Could Be Living Inside Your Systems, Alan E. Brill, Senior Managing Director, Kroll Cyber Security & Information Assurance. Published in Defense Against Terrorism Review Vol.3, No. 2, Fall 2010 at pages 23-36.
Cyberterrorism: An Overview by Vipin Kumar Singhal (Indian Council for Social Science Research, 2014).
eDiscovery Pest Control: Dealing with the Internet Explorer Bug (Kroll Ontrack, informal blog, 2014).
2014 Cyber Security Forecast (Kroll Report, 2014).
The Evolution of Data Breach Response Amid Growing Concerns and Expectations (Kroll White Paper).
Managing threats in the digital age (IBM, executive report).
FAQS ON DATA BREACH
What is a data breach? A breach is defined as an event in which an individual’s name, plus a medical record, or financial record, or credit card card might be put at risk.
What are the main causes of data breach? There are three main causes of a data breach: (1) malicious or criminal attack, (2) system glitch, or (3) human error. The costs of a data breach can vary according to the cause and the safeguards in place at the time of the data breach. As you can see from the chart in the 2014 Ponemon report, 42% of the reported data breaches were caused by malicious attack, 30% by human error (ei – oops, lost my drive!), and 29% by system glitch (catch all, blame it on the computer).
What is a compromised record? Information that identifies an individual whose information has been lost or stolen in a data breach. Examples can include a retail company’s database with an individual’s name associated with credit card information and other personally identifiable information. Or, it could be a health insurer’s record of the policyholder with physician and payment information. In the 2104 Ponemon Institute study the average cost to the organization if one of these records is lost or stolen is $145. The chart below breaks down the average costs according to cause of loss. As you can see, data loss from a malicious attack causes the greatest per record damages, with an average cost of $159 per record.
Can the average cost of data breach be used to calculate the financial consequences of a mega breach such as those involving millions of lost or stolen records? Not really. The costs of a mega breach can be much higher. The average cost of a data breach in the Ponemon Institute research did not apply to catastrophic or mega data breaches because these are not typical of the breaches most organizations experience. In order to be representative and draw conclusions from the research useful in understanding costs when protected information is lost or stolen, the Ponemon Institute did not include data breaches of more than approximately 100,000 compromised records.
What can you do to reduce the cost of a data breach? There are many actions you can take now to reduce the damages that a data breach might cause. The Ponemon Institute survey considered many of the important factors that can impact the cost of data breach as shown in their chart below.
In addition to the factors that the Ponemon survey considered, I would add employee training. That is a key ingredient in the bottom four factors, which have the greatest savings impact. Training is critical to maintain a strong security posture and to implement an incident response plan. It is also important to BCM, which means business continuity management. This requires all levels of management to have a basic understanding and involvement with cybersecurity. The CISO appointed factor means that an organization has a Chief Information Security Officer with enterprise-wide responsibility. Part of that responsibility should include training.
How do data breach notification laws in the U.S. impact notification costs? As shown by the below Figure 15 of the Ponemon study, companies in the U.S. have a significantly higher cost to notify victims of a data breach. India and Brazil have the lowest costs. Notification costs typically include IT activities associated with the creation of contact databases, determination of all regulatory requirements, engagement of outside experts, postage, secondary contacts to mail, and inbound communication set-up.
What are post data breach costs? There are many other costs associated with a data breach in addition to the notice related costs. The costs typically include help desk activities, inbound communications, special investigative activities, remediation, legal expenditures, product discounts, identity protection services, and regulatory interventions. The Ponemon study measured these average post data breach costs by country. The highest was again the U.S., the lowest was India. Figure 16 from the study below shows the distribution of average costs associated with after-the-fact activities for 10 countries.
What are lost business costs? Lost business costs include the abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill. These costs can be devastating to a business. There are other costs that are impossible to quantify, such as business interruption. Think of the impact Target’s data breach had on operations, including the resignation of it’s CIO and resignation of its CEO. The Ponemon study again measured these average lost business costs by country, and remember these were averages. The highest was again the U.S. with an average loss of $3.3 million per event, and the lowest again was India at $252,876.
How did the Ponemon Institute calculate the cost of data breach? To calculate the average cost of data breach the Institute collected both the direct and indirect expenses incurred by the organization. Direct expenses include engaging forensic experts, outsourcing hotline support and providing free credit monitoring subscriptions and discounts for future products and services. Indirect costs include in-house investigations and communication, as well as the extrapolated value of customer loss resulting from turnover or diminished customer acquisition rates.