Non-IT C-levels love absolutes on security. They want to know that if they approve those 50 more security staff and $200 million in additional equipment and software, breaches can be blocked. IT knows that it's a silly question, that the best one can ever hope from security is to make it increasingly more difficult to break in. CFOs and CEOs want guarantees and none exist in security.
What brings this to mind is some fallout from a court-approved settlement from the Target data breach. Dark Reading did an interesting analysis of that settlement, where it argued that the court erred in signing off on Target's punishment. The piece made some interesting — and valid — security points, but it failed in the "so what?" conclusion.
The plaintiffs who were suing Target had argued that there were a huge number of places where the retailer had security holes that enabled the attack.
That is essentially undisputed. But the plaintiffs then argued that had Target fixed/detected any one of those holes, the attack would have been averted. The court bought into that argument and signed off on Target's $10 million punishment.
The Dark Reading piece pointed out that the court's logic was flawed and it's understanding of security pragmatism was even more so. The "ruling is dangerously flawed and a gross misrepresentation of how attackers operate; it ignores the fact that the breach was conducted by actual people. Preventing one event in a supposed chain will not stop a breach. Attackers will simply find another way to achieve their goal. The challenge is to identify that a targeted attack is under way and then rip the attackers out of the network."
That point is, obviously, correct. But I am not certain that the judge didn't grasp that. The real question is: What would you have had the judge do differently? That forces us to answer the ultimate question at play here: What should businesses do any differently? What behaviors should be encouraged, and which ones should be punished? From a societal standpoint, that is what courts and juries are supposed to do.
In the same way that it's naïve and disingenuous for a C-level to say that fixing one security hole would have necessarily stopped an attack, it's equally misleading to say that attackers can change attack method at any time, so attacks are inevitable. Although it's correct that attacks are inevitable, that doesn't mean that IT should give up. And back to the point about Target, it also doesn't mean that any large business should be held blameless for the damage from such an attack.
So what should a court/jury considering a data breach case consider? A few things.
- Industry standards. While this certainly includes formal processes such as PCI for payments and HIPAA for health data, it also includes what security mechanisms are deployed by most companies in that vertical and in that rough revenue range.
- Prudent measures. Was the company aware of similar attacks? Did the company do everything in its power to try and adequately defend itself? (For you CFOs out there, chill out. I'll address ROI in the next bullet.)
- Reasonable cost/ROI. This is the most difficult to gauge, especially for a court/jury, which is why expert witnesses become critical. Given that no defense is absolute, what is appropriate for a publicly held company to spend? Please forgive the sports cliché, but there will be a huge temptation to Monday morning quarterback this, meaning the judge/jury will factor in that it was a multibillion-dollar breach that impacted a massive number of people. They need to remember that they are judging the CIO/CFO security investment decisions that had been made months and years before the attack began, so that number can't be used to evaluate their decision.
That evaluation has to be "Was it a reasonable and legitimate amount of security investment to make, based solely on what was known at the time that the decisions were made?"
Here's the worst part of that equation. What if the numbers allowed for only a bad choice? Consider a hypothetical company with an annual revenue of $150 million and net income of $31 million. Now let's say that cyberthieves have targeted that company and the only adequate defense will cost $19 million. If the CFO even considered approving that much, that CFO should be fired. Any investments have to also be made in the context of the financial realities of that company. Specifically, it needs to consider what that company can afford to spend on security. And you have to hope that the jury includes at least one small business owner.
The Dark Reading piece is well worth reading, as it is a rather masterful takedown of the court's decision. But it failed to propose an alternative to letting breached companies off the hook no matter how poorly they defended themselves.
I have personally argued many times that the biggest single element weakening retail security in the U.S. is zero liability. It's one of those dominos arguments, where one thing leads to another. By making sure that shoppers are protected when anything bad happens, they are going to not get hurt. If they don't get hurt, they can't successfully sue, nor do they have a huge incentive to abandon that retailer. Therefore, the retailer has relatively little incentive to radically increase its security.
Look at it the opposite. If the first big retailer to be breached — which was TJX — had been attacked when no zero liability programs were in effect, customers would have been financially devastated, lawsuits would have been successful, TJX's stock price would have plummeted and the chain may have very well not survived. Had that happened, any doubts that retail security today wouldn't be several orders of magnitude stronger than it is today? (Yeah, that's really tough love, but it would have only had to happen once.)
As courts take a more active role in these breaches, they need to weigh what is reasonable against the behavior they want to encourage. A retailer today can spend the absolute minimal amount on security. The only reason to truly invest is if they fear what will happen when a jury of their peers weighs in on their security investment. In short, judges should be security realistic, but so should companies.