Disclosure of Breaches: The Legal and Business Ramifications of Explaining What You Did Wrong
March 3, 2020 | 12:15 pm | LBJ School of Public Affairs, SRH 3.122
On Tuesday, March 3, 2020, the Strauss Center and the Center for Enterprise and Policy Analytics (CEPA) at The University of Texas at Austin welcomed Mark Anderson, Senior Director of Business Operations at BlackBerry, for its “Cybersecurity Speaker Series.” Anderson’s discussion was entitled “Disclosure of Breaches: The Legal and Business Ramifications of Explaining What You Did Wrong.”
According to IBM and Ponemon Institute’s “Cost of a Data Breach Report for 2019,” the average cost was 3.9 million dollars and the average breach affected 25,575 records. The average time to identify and contain a breach was 279 days, but the costs and consequences of the breach can last for years.
Breaches can be associated with a variety of incident types beyond just software vulnerabilities, including fraud, intentional leaking, malware, phishing campaigns, and failure of third-party suppliers. Recent years have seen a steady growth in malicious and criminal activities, however, these only account for 51% of data breaches—system glitches and human errors almost equally split the remainder. Some of these breaches require HR and training fixes as much as cybersecurity ones.
Regardless of the type of breach, businesses face a myriad of international, state, and local notification laws and regulations they must navigate. Anderson made a clear distinction between breaches affecting Personally Identifiable Information (PII), where disclosure is mandated by law, and non-PII breaches where businesses need to weigh disclosure against a variety of costs. He briefly highlighted the differences between the EU’s General Data Protection Regulation (GDPR), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and the US’s sectoral approach which is governed by multiple agencies and state laws.
In determining how to respond to a data beach, the business must negotiate four key elements of that breach and the costs associated with them: detection (31.1% of cost), notification (5.4% of cost), post breach response (27.3% of cost), and lost business (36.2% of cost). Lost business is the major issue in deciding whether to disclose the breach to the public. Some companies make poor business decisions in responding to these breaches, as seen in recent ransomware attacks. In 2019, companies faced a 29.6% chance of experiencing any type of breach and Anderson recommended that companies remain cognizant of the risk and plan for breaches going forward.
Mark Anderson has been working in the Tech Sector in Austin, Texas since 1987. He has worked at Thomas-Conrad/Compaq, Dell, General Motors, and BlackBerry. He triple majored in Mass Communications Engineering, Economics, and Government at Western Kentucky University before receiving his JD from the University of Kentucky. Following law school, Anderson worked as an attorney in Kentucky before moving to Austin to work in the emerging tech sector. He has written books on networking and network design, and holds two patents that he helped develop while working at Dell. He has extensive knowledge in management, security, software licensing and manufacturablility, and network administration.