Public Policy Americans Increasingly Blasé Over Data Breaches This article was originally published on Fox Business on October 15, 2014. by Brian E. Finch Brian E. Finch Public Policy +1.202.663.8062 brian.finch@pillsburylaw.com Brian E. Finch is a partner in Pillsbury’s Public Policy practice in Washington, DC. He is a recognized authority on global security matters and is co-leader of the firm’s Global Security practice. If you have gotten to the point where you read about yet another data breach and thought “ho hum,” you are not alone. It is hard not to feel that way – it seems as if basically every place you might shop or do business is suffering from a data breach. These hacks run the gamut of the consumer spectrum, from discount stores and sandwich shops to some of the most respected luxury chains and high profile banks. It’s a miracle, frankly, that we haven’t gone back to a completely cash or paper check-based economy. Or perhaps it has just gotten to the point where we don’t really care about data breaches any more. Some research is backing up the idea that the American public has stopped being overly anxious about data breaches. A recent study by the Ponemon Institute found that nearly three-quarters of respondents did not stop doing business with the company that had suffered a data breach. Even more interestingly, nearly one-third of respondents “ignored the notifications and did nothing” when they were alerted to a possible data breach. Well, I guess we are kind of over the whole data breach thing. Sounds good to me. Wait, what? That’s a good thing? Pillsbury Winthrop Shaw Pittman LLP In many ways, it is in fact a good thing. First and foremost, a lack of panic over every new data breach is a sign that we are finally starting to view breaches in the proper context. That means we understand that they are a reflection of the “new normal”, simply a part of the cost of doing business in the incredibly interconnected world. Look at it this way: whether we want to recognize it or not, every business builds into its forecasts some expected losses due to theft or employee dishonesty. The retail industry even has a term for it: “shrinkage” (no George Costanza “I was in the pool!” jokes please). Under that concept, retailers expect that there is going to be a certain amount of merchandise stolen by employees. It does not mean that the employer turns a blind eye to it or its costs -- far from it. Employers actually work quite hard to minimize these losses. Companies invest huge amounts of money on sophisticated inventory control systems as well as loss prevention teams to stop theft by employees as well as by common criminals. Similar tools are used in a variety of other business sectors, such as the financial industry using sophisticated algorithms to detect fraud and illicit trading by their employees. pillsburylaw.com Americans Increasingly Blasé Over Data Breaches Public Policy What is interesting here is that you tend not to hear about these kinds of losses, unless the theft was on a massive scale. Absent those kinds of losses, insider theft tends to be, well, not very newsworthy. So perhaps the idea of breach fatigue isn’t a bad thing. Fatigue here could, in fact, imply that companies and consumers alike have begun to accept these kinds of events, and therefore will not automatically assume they will ruin businesses and consumers alike. Having said that, let’s not all kick back and stop worrying about data breaches. They do matter, and stopping them remains a top priority. Now I know what you are going to say – “Wait a second, you just said it’s a good thing that we are not as concerned about data breaches as we have been. Make up your mind already!” I’m not trying to make your head hurt. What I am saying is that it is good to recognize that breaches are going to happen, and that not every breach will bring about the end of capitalism as we know it. But there are still many breaches happening that can have serious consequences and undermine our economy, much less our national security. What I am talking about here is not a “routine” data breach that steals credit card data. Instead, I’m talking about the sophisticated data breach that is designed to steal information that can do serious harm to a company or a piece of infrastructure, or perhaps be used to lead to more sophisticated attacks causing significant damage. Take for instance the recent data breach that victimized USIS. USIS is a major government contractor, handing a large portion of the background checks for the U.S. government. USIS suffered a serious data breach that resulted in the theft of personal information of 25,000 plus federal employees. Normally you would look at that and think “Boy, glad my info wasn’t stolen.” But that isn’t the real problem with the USIS breach. No, the real problem is that the information stolen can be used by a foreign nation to conduct far more insidious attacks, such as targeting specific government employees so that malware can be inserted onto sensitive government systems. Once that is done, we are talking about the potential for massive espionage campaigns. That’s bad. Way worse than having your Service Merchandise store credit card stolen. Similar worries apply to data breaches targeting employees in “critical infrastructure” such as the financial or energy industry. Such attacks could lead to serious disruptions in our economy or even weaken our national security. Again, that’s much more concerning than having the credit card you used at a sandwich chain stolen. Also, let’s not forget that when I discussed the idea of insider theft I noted that companies spend lots of time working to minimize those losses. Companies understand that they are going to happen, but they also work hard to make sure that they happen infrequently or at a level that will not endanger the health of the company. Businesses should feel a similar obligation with respect to stopping or minimizing data breaches. Just because consumers are starting to worry less about data breaches, it does not follow that companies should invest less in defending against attacks. Rather, companies should be continually investing in defenses in order to make sure that they keep losses at an “acceptable” level (whatever that means). Ultimately, consumers have to remember too that even if they don’t directly see the cost of data breaches, they will pay for them in some way shape or form. You might not see an item on your next grocery receipt that reads “5% surcharge to recoup data breach losses”, but believe me the prices you pay reflect that cost in some manner. And the more preventable breaches that are allowed to occur, the worse off we all are. Bottom line, it’s okay to not freak out over every data breach. They will continue to happen, and nothing we do will stop every one of them. Still, ignoring them completely is not an option. Not all data breaches are created equal, and so we have to remain vigilant so we know how to react when one that “matters” occurs. Pillsbury Winthrop Shaw Pittman LLP | 1540 Broadway | New York, NY 10036 | +1.877.323.4171 ATTORNEY ADVERTISING. Results depend on a number of factors unique to each matter. Prior results do not guarantee a similar outcome. © 2015 Pillsbury Winthrop Shaw Pittman LLP. All rights reserved. Pillsbury Winthrop Shaw Pittman LLP pillsburylaw.com