A Q&A with Sasha Romanosky, PhD, of the RAND Corporation
In a recent study, RAND Corporation policy researcher Sasha Romanosky examined 12,000 data breaches from 2004 to 2015, trying to get a more holistic view of their causes, costs, and associated risks and trends. I spoke with Dr. Romanosky about his findings.
Your study reveals interesting findings about data breaches and security incidents, some of which may come as a surprise to some readers. Which of these stand out for you?
I found that more incidents are happening overall and data breaches are increasing but they are increasing at a decreasing rate. However, reported security incidents—i.e., actual hacks—have been increasing in recent years. We’re also seeing an increase in the compromise of information that can be used to commit more serious kinds of identity theft and fraud, such as social security numbers, financial and medical information. While the litigation rate of traditional data breaches has been steadily decreasing, privacy lawsuits are rising sharply. This is mostly driven by allegations of unsolicited telemarking and advertising from spam, phone calls and faxes. Suits relating to unauthorized surveillance (eavesdropping or wiretapping), as well as alleged harassment from debt collection are also common.
All of this being said, when we look at the cost of these events, most companies don’t seem to lose all that much. The cost of recovering and restoring systems, disclosing the event, bringing in counsel and other services really only amounts to a few hundred thousand dollars. The percentage of revenue is small—much less than costs such as fraud or crime or waste.
I was very interested to see Manufacturing as a sector that sustains a great amount of loss. Do you have any theories as to why?
That’s a good question. My interest was in trying to understand which industries pose the greatest risk and so I looked at the total number of breaches, breach rates by industry, total number of lawsuits and litigation and costs. These dimensions only tell part of the story. If you talk today with insurance carriers they seem to be most concerned about finance, retail, healthcare and education and we are seeing plenty of breaches in these areas. But manufacturing and information services (news media, radio, software, telecommunications) are suffering, too, with manufacturing having a higher than average cost per incident. Even though they don’t get breached all that often their losses and impacts are sizeable. Typically you think of companies that have direct relationships to consumers as being the ones with the desirable information for hackers, so it is fairly surprising. If you look at the litigation rate, mining and gas are getting hit hard. Ultimately there is no one industry that’s the worst which makes this a more complicated story to tell.
Of all your findings what do you think are the most important takeaways for readers?
I think the cost finding was most significant. People talk about the “average” cost of a data breach but that is a very misleading figure. Yes, there are breaches by Target, Sony and Home Depot that costs hundreds of millions, but if we’re interested in understanding the cost that “most” firms face, it’s more useful to look at the median cost. When we do, we see that most firms lose very little—less than $200,000. Overall, from our data, this only represents less than 0.4% of a firm’s revenue, much less than fraud, waste, and loss in other sectors.
It’s more useful to look at the median cost. When we do, we see that most firms lose very little—less than $200,000.
Given the big deal we make about data breaches and how much regulation has being written, breaches don’t seem to be costing as much as people think. The other big takeaway is that most of the legal action is still being driven by private federal suits as opposed to criminal or state actions. You’re still looking at individuals going after companies. We’re also seeing a sharp increase of privacy lawsuits, driven by allegations of wiretapping and surveillance, debt collector harassment and cookie tracking.
Are there any trends here you feel are worth exploring in greater depth?
I think it would be interesting to tease out the privacy litigation piece, and see how this is playing out and what kinds of security controls can be put into place to reduce the risks of these actions. It would require different kinds of data but it’s a question worth pursuing.
Thank you, Sasha. Your research provides us with another layer of understanding regarding the costs of data breach events for organizations. This type of research, looking at the actual impact to organizations, is important to help corporate risk managers better understand their risk posture, and this analysis is often missing in many cyber risk studies, so we commend RAND!
We should, however, point out that because Dr. Romanosky’s data set includes events as early as 2004, some of his findings may understate the current cost/impact of an event to any given organization. For example, it is only in the past few years that state and federal agencies have bolstered privacy regulations and begun seriously penalizing organizations that fail to protect data. We’ve seen a steady increase in fines and penalties assessed by HIPAA/OCR and State AGs, along with a corresponding increase in legal defense costs. Additionally, it is only recently that we’ve begun to assess the financial loss associated with the theft of IP/trade secrets. Also, while Dr. Romanosky’s conclusion that the median cost of these events is relatively small and easily absorbed by most organizations is undeniably true, we should acknowledge that the potential cost is not so easily absorbed. For example, in the NetDiligence® 2015 Cyber Claims study, the median cost of a data breach for a small organization ($300M to $2B in revenue) was only $154K, but the largest cost we saw was just under $5 million. That’s high enough to cripple a small company. And for medium-to-large organizations, the potential impact is even greater.
NetDiligence® is a cyber risk assessment and data breach services company. Since 2001, NetDiligence has conducted thousands of enterprise-level cyber risk assessments for organizations. NetDiligence services are used by leading cyber liability insurers in the U.S. and U.K. to support loss-control and education objectives. NetDiligence hosts a semiannual Cyber Liability Conference attended by risk managers, privacy attorneys and cyber liability insurance leaders from around the world. NetDiligence is also an acknowledged leader in data and privacy breach prevention and recovery. Its eRiskHub® portal (www.eriskhub.com) is licensed by cyber liability insurers to provide education and breach recovery services to their policyholders.