In Depth

It's Not Easy Being Breached: Calculating the Cost of a Cybersecurity Breach

Surviving an information security incident is just the beginning. Then you need to figure out what it really cost.

By Simone Kaplan

Page 4

Varney says many CSOs don't realize loss estimates are not enough to prosecute security offenders. "If the amount varies from what the prosecution presents, the defense will poke holes all over your case," he says.

Law enforcement has minimum monetary damage requirements for prosecuting a security case. The amount depends on the jurisdiction, Varney says, but it can range from $500 to $500,000. The numbers must be carefully catalogued, and prosecutors must be able to prove them. Otherwise, a lawsuit might not go the way you think it should.

Case in point: In September 2001, a jury found Herbert Pierre-Louis guilty under the Computer Fraud and Abuse Act for launching a virus attack on four offices of Purity Wholesale Grocers in 1998. According to Purity, the virus shut down operations for a week and caused at least $75,000 in damage, well over the $5,000 minimum. But in April, a federal judge threw out the conviction because the jury ruled that the virus didn't cause enough damage to rate as a federal crime. The breach occurred before the Act was amended in 2001 to cover lost revenue from suspended operations and repair costs from interrupted service, and thus the damages as defined by the law did not total $5,000. Pierre-Louis's conviction was nullified.

Trying to nail a hacker is just the beginning. The concept of downstream liability is also a concern, says Aon's LaCroix. These days, viruses jump from company to company. If a company is deemed negligent in deploying adequate security, there's a potential for third-party lawsuits from others affected afterward. "You are no longer responsible for just your own security," LaCroix says.

Ask Ziff Davis Media. Deficient security and privacy protections cost the publishing company at least $125,000 in August 2002 when an online subscription promotion exposed subscriber information, including credit card data, to public view. Several subscribers subsequently became the victims of identity theft. In a settlement with the New York state attorney general, Ziff Davis agreed to pay a total of $100,000 to three state governments, as well as $25,000 in compensation to 50 customers whose credit card data was bared during the incident. If all 12,000 subscribers whose information was revealed had provided credit card data to the company, the settlement could have reached $18 million, according to John Pescatore, an analyst with Gartner Research.

Until someone comes up with a way to prevent breaches from happening at alland, as we've pointed out in this issue, risk will never be reduced to zero (see "The Art of Uncertainty," Page 44)CSOs will have to deal with the aftermath of incidents and trying to come up with a cost for the whole shebang.