Why Don’t We Defend Better? Data Breaches and the Lack of Information Problem
How many data breaches occur per day? At least four, conservatively estimated. The average cost is controversial, but the aggregate cost is clearly high. Security experts explain how to defend better. So, why don’t we? Why does society tolerate a loss that it could avoid?
To answer, consider two kinds of losses: consumer and business losses. Businesses could invest in data breach defense with the goal of minimizing the sum of the cost of the defensive measures plus expected consumer losses with those defensive measures. Call that the consumer risk management goal. Businesses don’t adequately approximate that goal. That is hardly surprising. Profit-driven businesses ignore consumer losses unless they impose corresponding losses on the business. The standard legal reaction is to impose liability for inadequate defense. Cases typically spread out across a spectrum with egregiously inadequate defense at one end, and defensive overkill the other. The middle is home to adequate approximation to the risk management goal. Plaintiff victories typically start at the egregious end of the spectrum and reach toward but stop short of the adequate approximation middle. For data breaches, however, the cases holding defendants liable are all at the egregiously inadequate defense end. Why?
We answer by asking and answering another question. Why do a surprising large percentage of businesses fail to approximate the business risk management goal? That is the goal of minimizing this sum of the cost of the defensive measures plus all the expected business losses with those measures. Adequate approximation is the long run profit-maximizing strategy. Surveys reveal businesses falling far short of this goal. One explanation is that corporate culture struggles with incorporating cyber risk management into its decision making. We do not minimize the importance of this problem, but we focus on an information problem that remains even for a corporate leadership dedicated to cyber risk management.
Approximating the business risk management goal requires estimating expected losses from adopting a particular type of defense against a particular type of data breach. To do that, one needs information about the cost of the loss a type of breach imposes and about the probability of that breach occurring. We do not have sufficiently accurate estimates of either. This creates a shopping list problem. Security experts can present businesses with a defensive technologies shopping list, but what should a business buy off that list? Without an answer, one sees underspending (which appears most common) and overspending.
This information problem also explains why plaintiffs win data breach court cases only at the egregiously bad end of the spectrum. Defendants can argue that their practices are similar to most other businesses’, and courts will treat the defendant’s conformity as evidence that their practices were presumptively reasonable. Without relevant information about probabilities and losses, plaintiffs lack an adequate counter.
The solution is to get the needed information. For businesses, we propose mandatory anonymous business reporting of relevant information about data breaches. For consumers, because of privacy concerns, we propose voluntary participation in government-funded surveys. Is our proposal necessary? Don’t data breach notification statutes yield the necessary information? They do not generate information about the cost, nor are they reliable source of information about the probabilities of different types of breaches.
Check This Out: Top Enterprise Risk Management Service Companies