Data Security (Or Lack Thereof) Continues To Make Headlines

Don Miller

Adobe Reports Massive Data Breach

Adobe this week reported what it characterized as a “sophisticated” cyber attack.  Hackers circumvented Adobe’s data security measures to gain access to confidential information affecting 2.9 million customers worldwide.  To make matters worse (much worse), the hackers stole Adobe source code for products such as Acrobat and ColdFusion.  So Adobe has some serious data security concerns, again.

The loss of customer information and trade secrets will have major implications for Adobe, both financially and legally.  Data breach response costs are rapidly increasing.  According to a recent study, the average annual expenditure by companies has reached $11.6 million per year. So you may ask, “Why is it so costly?”  Let’s address that question in the context of the Adobe data breach incident.

Notification and Penalties

Forty-seven states have laws covering notifications of and penalties for Adobe-like data breaches, and the laws of the state where the victim resides will apply, not the laws of the state where Adobe is based.  Many other countries have similar types of laws.

As for notification, Adobe said that affected customers will be notified via email.  This will be a mammoth operation given the sheer numbers of affected customers who are located in all geographies of the world.  When you have such a massive breach, resources will be needed to verify that email addresses are valid, contact next of kin for customers who have died, etc.  At the same time, a call center will likely be established because both regulators and customers will have lots of questions.  As you might expect, such an operation is expensive.

Potential penalties vary by state.  In some states, Adobe faces fines of determinate amounts which can reach into hundreds of thousands of dollars.  Other states do not specify a damage amount, which means it is difficult to estimate potential damage amounts.  Still other states calculate penalties based on the number of consumers affected.  Needless to say, Adobe’s potential exposure to such penalties is significant.

Credit Monitoring and ID Restoration

Adobe customers now face the prospect of becoming the victim of identity theft, which could potentially be a problem they will have to deal with for the rest of your life.  Adobe will therefore have to devote substantial resources to ensure that affected customers are taken care of so they can get their lives back in order.

To that end, Adobe promised to provide instructions to affected customers about how to guard against credit card fraud.  Adobe also said U.S. customers will be offered the option of enrolling in a one-year complimentary credit monitoring membership.  In addition, Adobe notified the banks involved in customer payments for Adobe, so that the company can work with the credit card companies and card-issuing banks to help protect customers’ accounts.  All of these steps are necessary, but costly.

Computer Forensic Services

Adobe will want to know the exact cause of the breach.  Thus, Adobe will task its IT resources with capturing and analyzing all relevant data from the suspect systems.  For smaller businesses, this whole process might only take a week.  For a large, multi-national organization like Adobe, it may take months of effort from dozens of resources located in all geographies of the world.  Again, a substantial cost item.

Legal Counsel

As with any crisis, Adobe will want to engage legal counsel very early in the process to provide expert legal advice about its response and legal compliance duties.  Much time and expense will be involved in determining applicable regulatory/legal requirements in all 50 states and for other countries around the world.

Lesson Learned:  Be Proactive, Not Reactive

In the course of providing secure data transmission solutions over the last 20+ years, the experts at bTrade have developed a solid understanding of what causes data breaches.  While multiple factors can contribute to an incident, the most common problem we see, for organizations of all sizes, is the failure to be proactive.  Many such incidents are preventable.  Companies often devote substantial amounts of money to sales and marketing efforts, while ignoring or doing very little to protect their important IT assets.  Some folks wrongly feel comforted by the existence of firewalls.  But having an effective firewall is only one cog in an effective data security machine. We always suggest taking a holistic view of the issue.

Understand Your Data Flows

What do we mean by taking a holistic view?  Basically, it requires taking a step back to examine and understand your data flows—i.e., the path that data takes from the time it enters your organization until it reaches its final destination.   You need to have a firm grasp on what happens with this data—i.e., which systems it touches, where it goes, how it gets there, and what happens to it thereafter.

A Managed File Transfer Solution Can Help You Be Proactive

A managed file transfer solution, such as secureXchange, gives you the ability to comprehensively follow your data flows and determine which systems it touches, which individuals are touching it along the way, how it gets there, and how it is stored once it reaches its final destination.  In short, it provides a unified view of your global data transmissions across all platforms.

Allow bTrade to Help You

To avoid the ever-increasing costs associated with an Adobe-like data breach incident, the most critical first step is to talk with a data security expert who understands the issues and can explain the nuances of data security specific to the needs of your organization.  It’s all about taking a holistic view of your data transmissions process, and we can help in that regard.  If you want to take advantage of our many years of experience, send a confidential email to info@btrade.com.