Americans Increasingly Blasé Over Data Breaches

Public Policy
Americans Increasingly
Blasé Over Data Breaches
This article was originally published on Fox Business on October 15, 2014.
by Brian E. Finch
Brian E. Finch
Public Policy
+1.202.663.8062
brian.finch@pillsburylaw.com
Brian E. Finch is a partner in Pillsbury’s
Public Policy practice in Washington, DC.
He is a recognized authority on global security
matters and is co-leader of the firm’s Global
Security practice.
If you have gotten to the point where
you read about yet another data
breach and thought “ho hum,” you are
not alone. It is hard not to feel that
way – it seems as if basically every
place you might shop or do business
is suffering from a data breach. These
hacks run the gamut of the consumer
spectrum, from discount stores and
sandwich shops to some of the most
respected luxury chains and high
profile banks.
It’s a miracle, frankly, that we haven’t
gone back to a completely cash or
paper check-based economy. Or
perhaps it has just gotten to the point
where we don’t really care about data
breaches any more.
Some research is backing up the
idea that the American public has
stopped being overly anxious about
data breaches. A recent study by the
Ponemon Institute found that nearly
three-quarters of respondents did not
stop doing business with the company
that had suffered a data breach. Even
more interestingly, nearly one-third
of respondents “ignored the notifications and did nothing” when they
were alerted to a possible data breach.
Well, I guess we are kind of over the
whole data breach thing. Sounds good
to me.
Wait, what? That’s a good thing?
Pillsbury Winthrop Shaw Pittman LLP
In many ways, it is in fact a good thing.
First and foremost, a lack of panic
over every new data breach is a sign
that we are finally starting to view
breaches in the proper context. That
means we understand that they are a
reflection of the “new normal”, simply
a part of the cost of doing business in
the incredibly interconnected world.
Look at it this way: whether we
want to recognize it or not, every
business builds into its forecasts
some expected losses due to theft
or employee dishonesty. The retail
industry even has a term for it:
“shrinkage” (no George Costanza
“I was in the pool!” jokes please).
Under that concept, retailers expect
that there is going to be a certain
amount of merchandise stolen by
employees. It does not mean that
the employer turns a blind eye to it
or its costs -- far from it. Employers
actually work quite hard to minimize
these losses.
Companies invest huge amounts of
money on sophisticated inventory
control systems as well as loss
prevention teams to stop theft by
employees as well as by common
criminals. Similar tools are used in a
variety of other business sectors, such
as the financial industry using sophisticated algorithms to detect fraud and
illicit trading by their employees.
pillsburylaw.com
Americans Increasingly Blasé Over Data Breaches
Public Policy
What is interesting here is that you
tend not to hear about these kinds
of losses, unless the theft was on a
massive scale. Absent those kinds of
losses, insider theft tends to be, well,
not very newsworthy.
So perhaps the idea of breach fatigue
isn’t a bad thing. Fatigue here could,
in fact, imply that companies and
consumers alike have begun to
accept these kinds of events, and
therefore will not automatically
assume they will ruin businesses and
consumers alike.
Having said that, let’s not all kick
back and stop worrying about data
breaches. They do matter, and
stopping them remains a top priority.
Now I know what you are going to
say – “Wait a second, you just said
it’s a good thing that we are not
as concerned about data breaches
as we have been. Make up your
mind already!”
I’m not trying to make your head
hurt. What I am saying is that it is
good to recognize that breaches are
going to happen, and that not every
breach will bring about the end of
capitalism as we know it. But there
are still many breaches happening
that can have serious consequences
and undermine our economy, much
less our national security.
What I am talking about here is not a
“routine” data breach that steals credit
card data. Instead, I’m talking about
the sophisticated data breach that
is designed to steal information that
can do serious harm to a company or
a piece of infrastructure, or perhaps
be used to lead to more sophisticated
attacks causing significant damage.
Take for instance the recent data
breach that victimized USIS. USIS
is a major government contractor,
handing a large portion of the
background checks for the U.S.
government. USIS suffered a serious
data breach that resulted in the theft
of personal information of 25,000
plus federal employees. Normally you
would look at that and think “Boy,
glad my info wasn’t stolen.”
But that isn’t the real problem with
the USIS breach. No, the real problem
is that the information stolen can be
used by a foreign nation to conduct
far more insidious attacks, such
as targeting specific government
employees so that malware can be
inserted onto sensitive government
systems. Once that is done, we
are talking about the potential for
massive espionage campaigns.
That’s bad. Way worse than having
your Service Merchandise store credit
card stolen.
Similar worries apply to data
breaches targeting employees
in “critical infrastructure” such as
the financial or energy industry.
Such attacks could lead to serious
disruptions in our economy or even
weaken our national security. Again,
that’s much more concerning than
having the credit card you used at a
sandwich chain stolen.
Also, let’s not forget that when I
discussed the idea of insider theft
I noted that companies spend lots
of time working to minimize those
losses. Companies understand that
they are going to happen, but they
also work hard to make sure that
they happen infrequently or at a level
that will not endanger the health of
the company.
Businesses should feel a similar
obligation with respect to stopping
or minimizing data breaches. Just
because consumers are starting to
worry less about data breaches, it
does not follow that companies
should invest less in defending
against attacks. Rather, companies
should be continually investing in
defenses in order to make sure that
they keep losses at an “acceptable”
level (whatever that means).
Ultimately, consumers have to
remember too that even if they
don’t directly see the cost of data
breaches, they will pay for them in
some way shape or form. You might
not see an item on your next grocery
receipt that reads “5% surcharge
to recoup data breach losses”, but
believe me the prices you pay reflect
that cost in some manner. And the
more preventable breaches that are
allowed to occur, the worse off we
all are.
Bottom line, it’s okay to not freak out
over every data breach. They will
continue to happen, and nothing
we do will stop every one of them.
Still, ignoring them completely is
not an option. Not all data breaches
are created equal, and so we have to
remain vigilant so we know how to
react when one that “matters” occurs.
Pillsbury Winthrop Shaw Pittman LLP | 1540 Broadway | New York, NY 10036 | +1.877.323.4171
ATTORNEY ADVERTISING. Results depend on a number of factors unique to each matter. Prior results do not guarantee a similar outcome.
© 2015 Pillsbury Winthrop Shaw Pittman LLP. All rights reserved.
Pillsbury Winthrop Shaw Pittman LLP
pillsburylaw.com