Testimony before the Federal Trade Commission last week that a cybersecurity firm staged data breaches to extort clients has importance for all organizations. Data breaches and cybersecurity relating to personal information are areas fraught with significant risks, but the fear that they generate exceed the risks in many respects, due in part to ignorance that most experts in breach response have no interest in eradicating. Situations in which fears are very big and exceed risks are great opportunities for insurers, but also draw lots of service providers who do very well financially in that delta between hype and truth until the whistle blows; the good news is that it has finally blown.
The testimony, while explosive in its detail, was not surprising, because we have been expecting it for years now. You can relive the experience through LabMD’s eyes by reading Michael Daugherty’s book released in Fall 2013. And although I myself find the testimony credible, I am certainly not the guy on whom you should rely as to its truth, because — disclaimer — I and my firm have had the privilege of representing LabMD in aspects of its dispute with the FTC.
Here is what I offer you: Just as when Edward Snowden’s revelations came out, I immediately tried to offer predictions that proved useful to many of you on how those disclosures could impact organizational privacy programs, cloud contracts and encryption strategies, so I now want to offer you ideas for making the testimony of this new whistleblower useful in avoiding the cybersecurity protection rackets that are all around you — to be sure much less extreme than the one he alleges — but arguably protection rackets nonetheless.
For example, insurance brokers may try to sell you cyber-risk insurance policies that may not speak to your most serious risks. For example, your big risks from data security breaches may have nothing to do with the classes of personally-identifiable information (PII) that are the focus of cyber-risk insurance policies; your larger cyber-risks might, for example, be in the area of non-PII knowledge assets or third-party tort or contractual liability associated with risks to life and limb well beyond PII. If so, then cyber-risk insurance policies are hammers in search of nails, and you are not a nail.
To take another example, insurers, lawyers and others may tell you to provide credit monitoring in every notice-triggering breach even though credit monitoring is ineffective or not the most effective way to protect the victims of many types of breaches, just because credit monitoring is a standard offering in what we might call — paraphrasing Schneier — security breach theater. Lawyers rmay also accept the job of defending you against costly class action lawsuits brought by your own customers without telling you everything you could do to avoid such litigation. (The number of such suits since the Supreme Court effectively precluded them on standing grounds in 2013 tells that story powerfully right now in ways that may not be as obvious if the Supreme Court expands standing substantially in Spokeo v. Robins).
Then there are the crisis managers, who of course want crises. How much of a crisis is it, though if — as you learn when you adopt sophisticated data loss prevention tools — it is happening to your organization all the time?
What you need, instead, is good security, good incident response, and good narrative and appropriate transparency with your customers and regulators about both. And to get there, you need good general risk assessment and prioritization done by trusted internal or external cybersecurity generalists.
One more thing about this week’s testimony, and another reason I have gone beyond theLabMD case in this post: There is a lot here for a great journalist to explore, as Snowden spawned major books and documentaries. If there is anything to the testimony, it is a story about money and power in one of the defining areas of collective fear and — we must hope –collaborative effort in this century. And as we try to come together as a country and a free world to confront the much bigger cyberthreats that face us, there is nothing more important than knowing how to reject dependency and achieve resilience.