Data breaches: Playing by a new set of rules?
Tell me, what’s your response when you hear that a company that was breached are now losing customers? I suppose it’s at this point the word reasonable makes an appearance. Whether this is the regulator, or in fact data subjects whose personal data is now being packaged and sold to identity thieves.
The key question is whether the company who lost all that data took reasonable measures to protect that data.
If the answer is no, well guess what? The regulator can come in and fine your organization. In fact, it could get even worst because you will become the victim of abnormal churn rate. You know that term to describe the number of customers that will leave you because they just don’t trust you anymore.
Within the last year we have seen examples where exactly that has happened, for example on business who experienced a significant breach were reported to have lost almost 100,000 customers. In the words of the regulator the impacted company “should and could have done more to safeguard its customer information“.
In many ways, this response is expected. The term reasonable is part of the information security rulebook. We all recognise that there is no such thing as 100% secure, so demonstrating that reasonable measures have taken place should lessen the impact. The regulator will not impose a fine, the press wont write about, social media will be kind because you are just the unfortunate victim of a sophisticated/nation-state/zero-day attack, and oh your customers will simply accept that there is no such thing as 100% security and stay with you.
I suppose not all of the above will happen! But the impact should not be as significant as a company that falls victim to say a SQL injection attack? Well in the case of DynDNS I have to say that I felt that this company were seriously hard done by. In case you missed it, as a result of them being the victim of a major DDoS attack, it was reported that they lost 14,500 domains stopped using their service. Why? I mean if you are a customer moving to another provider would they have done any better against the Mirai botnet? This was a failing of the entire technology sector releasing the spew of vulnerable devices that allowed this router-killing Mirai botnet to disrupt Dyn.
This represents a frightening trend. In that it doesn’t matter what YOU do, you will lose customers. The only question is whether the breach is significant or interesting enough to garner enough attention that will determine how many customers you lose.