Data breaches have been intensifying in recent years, but security expert Benjamin Dean argues that many companies still lack motivation to invest in more robust information security. Also in headlines from the past few weeks: The U.S. and European governments set their sights on data processing and consumer privacy; and Forrester Research predicts that a stricter governance, risk and compliance (GRC) environment will result in more regulatory failures for companies.
Companies lack incentives for stronger cybersecurity
Despite numerous high-profile cyberattacks, there is little motivation for companies to invest in better information security, according to Benjamin Dean, a Fellow for Internet Governance and Cybersecurity at Columbia University’s School of International and Public Affairs.
Dean examined the net expenses that Sony Pictures, Target and Home Depot incurred in response to recent data breaches, taking insurance reimbursements and tax deductions into account. In the case of Sony, Dean also factored in investigation and remediation costs. Dean found that these breach-related expenses amounted to 0.9%, 0.1% and 0.01%, respectively, of the companies’ total 2014 revenue. Investments in cybersecurity are also slight even among financial institutions like JPMorgan Chase that rely heavily on robust information security, he said.
Dean attributes these companies’ failure to adequately invest in information security to “moral hazard,” or when one person or organization takes greater risks because others bear the brunt and costs of these risks. For instance, credit and debit card providers sustained most of the costs related to the Home Depot breach, spending some $60 million replacing customer cards in September 2014 alone.
Moral hazard, combined with insurance reimbursements and tax deductions, weaken companies’ incentives to make large cybersecurity investments, Dean argues. As a result, greater government intervention is needed, he said. While there are currently policy proposals that address data breach protection, most of them don’t focus on moral hazard or providing incentives to these companies. Instead, these proposals focus on information sharing with intelligence agencies, something Dean and other infosec experts contend will not significantly reduce breaches.
U.S., European governments target consumer data processing
The Obama administration released draft legislation in late February that would give consumers greater control of how their personal information is collected and used by companies. The proposed bill aims to fill the gaps among already existing federal laws that address how consumer information is used, including the Fair Credit Reporting Act and the Video Privacy Protection Act.
The legislation will allow industries to create their own codes of conduct on how to handle consumer data. The Federal Trade Commission will enforce the bill by making sure these codes fulfill the baseline data-processing requirements of the bill, such as furnishing consumers with notices about how their personal information will be collected, used and shared.
The draft has already encountered opposition from privacy rights advocates, who say it does not go far enough to protect consumers and gives companies too much latitude. One of these advocates, Sen. Edward J. Markey, argues that instead of these industries developing varying codes of conduct, U.S. policy makers need to draft legislation that is uniform and legally enforceable.
In the meantime, European legislators are proposing a new data protection law that would require U.S. companies like Google and Facebook to embed data privacy standards in their products and Internet services before being able to sell them in the European market.
The new rules, which are being negotiated in the European Parliament, could include stricter requirements around the processing of personal data, which could involve re-engineering data collection processes and applications, according to one U.K. data privacy expert.
Forrester forecasts more corporate regulatory failures in 2015
A new report by Forrester Research predicts that in 2015 there will be more corporate failures to address regulatory enforcement and customer-facing risks than in 2014. The report predicts that these failures will lead to losses that could amount to $20 billion.
Sizable regulatory settlements by top banks such as Bank of America ($16.7 billion), Citigroup ($7 billion) and JPMorgan Chase ($13 billion) were among the grievous “corporate mistakes” the report cited. It also pointed to failures by companies like Borders and RadioShack to keep up with digital and consumer technology trends, both of which Forrester said”violate customer trust or fail to meet changing customer expectations.” One of the reasons these corporate blunders keep getting worse, according to Forrester, is because of a gap between many of these companies’ customer-centric business strategies and the risks associated with them.
The firm advises companies to review their current risk registers and incorporate language on how relevant risks will impact customers. Companies not only need to understand these risks — which include privacy breaches, payment fraud and product failures — but also make mitigation plans a high priority and collaborate with marketing to mitigate customer-facing exposure to these risks, Forrester recommends. The report also urges companies to continuously monitor the software market for opportunities to improve how they implement GRC platforms.