SHACKELFORD: Hacking of Sony could finally trigger tough action

Question of the Day

Is it still considered bad form to talk politics during a social gathering?

View results

One of the biggest identity thefts in history took place between April 17 and 19. Cybercriminals penetrated Sony’s PlayStation Network and Entertainment Network and made away with the personal information of more than 102 million Sony customers - a figure close to the population of Japan. Lost information includes names, addresses, passwords and potentially the credit card information of users, setting off a public-relations disaster for Sony. The attack already has cost Sony several percent of its stock price and has led to calls for its CEO, Howard Stringer, to resign. The final tally for the attack is unknown, but data breaches cost U.S. companies on average $204 per lost consumer record. That means Sony may be liable for an eye-popping $20 billion in damages. Even more remarkable than the price tag is the fact that so few firms have recognized the danger of cyber-attacks. This finally may be beginning to change.

Cyber-attacks are widespread. More than 90 percent of respondents to a joint Computer Security Institute and FBI survey reported experiencing a cyber-attack during the past year, costing on average more than $2 million per organization. Identity theft alone costs consumers more than $5 billion per year, and firms lost another $48 billion. Fraud also is a huge problem, with more than 600,000 complaints and more than $1.8 billion in claims in 2008.

Victims of attacks and breaches in recent years have included AT&T, Bank of America, Citigroup, Wachovia, Starbucks, Nikon, General Electric, DSW Designer Shoe Warehouse, the University of Chicago and the states of Florida and New York, to name a few. A single incident involving the theft of a laptop owned by the Department of Veterans Affairs led to the loss of 26 million Social Security numbers of retired and active-duty military personnel, resulting in a class-action lawsuit claiming more than $26.5 billion in damages.

Yet despite the well-publicized cost, few companies recognize the real danger of cyber-attacks. A recent report released by Carnegie Mellon University’s CyLab interviewed board members at companies with $1 billion to $10 billion in revenues and found that 56 percent considered improving risk management a top priority, but none considered improving computer and data security to be a priority.

One tool to manage liability from cyber-attacks ranging from identity theft to cybercrime and even sophisticated state-sponsored industrial espionage is the use of cyberrisk insurance policies, which are insurance policies that cover losses from cyber-attacks and data breaches. These policies have been available for years, but they aren’t cheap, costing anywhere from $5,000 to $30,000 per year for $1 million in coverage. But there is some evidence that more companies are turning to the insurance market. In fact, one-third of respondents (including 80 percent of companies with $250 million to $500 million in revenues) to a survey conducted by Betterley Risk Consultants, a research and consulting firm, said they have cyber-insurance. Another 25 percent said they plan to buy it in the next 18 months. But the danger is that as cyberrisk insurance spreads, companies simply will pass off the insurance losses associated with cyber-attacks to their customers, resulting in little incentive to improve overall cybersecurity without government action.

The Sony attack may well be the tipping point. As losses mount, investors likely will stop treating cyber-attacks as a corporate nuisance and start treating them as a serious threat to the survival of firms and, at a macro-level, a clear danger to the long-term competitiveness of knowledge economies built on intellectual property.

Scott Shackelford is an assistant professor of business law and ethics at the Indiana University’s business school and author of the forthcoming book “Cyber Peace: Managing Cyber Attacks in International Law, Business, and Relations” (Cambridge University).

© Copyright 2014 The Washington Times, LLC. Click here for reprint permission.

blog comments powered by Disqus
TWT Video Picks
You Might Also Like
  • Maureen McDonnell looks on as her husband, former Virginia Gov. Bob McDonnell, made a statement on Tuesday after the couple was indicted on corruption charges. (associated press)

    PRUDEN: Where have the big-time grifters gone?

  • This photo taken Jan. 9, 2014,  shows New Jersey Gov. Chris Christie gesturing as he answers a question during a news conference  at the Statehouse in Trenton.  Christie will propose extending the public school calendar and lengthening the school day in a speech he hopes will help him rebound from an apparent political payback scheme orchestrated by key aides. The early front-runner for the 2016 Republican presidential nomination will make a case Tuesday Jan. 14, 2014, that children who spend more time in school graduate better prepared academically, according to excerpts of his State of the State address obtained by The Associated Press. (AP Photo/Mel Evans)

    BRUCE: Bombastic arrogance or humble determination? Chris Christie’s choice

  • ** FILE ** Secretary of State Hillary Rodham testifies on Capitol Hill in Washington, Wednesday, Jan. 23, 2013, before the Senate Foreign Relations Committee hearing on the deadly September attack on the U.S. diplomatic mission in Benghazi, Libya, that killed Ambassador J. Chris Stevens and three other Americans. (AP Photo/Pablo Martinez Monsivais, File)

    PRUDEN: The question to haunt the West

  • Get Breaking Alerts