New Book Proposes Better Risk Management for Data Breaches

Thursday, August 15, 2019

According to a 2019 study sponsored by IBM Security, the average total cost of a data breach in the United States is $8.19 million. And yet, many companies don’t invest enough time or money to protect themselves and their customers from hackers.

Cover for "Why Don't We Defend Better?: Data Breaches, Risk Management, and Public Policy" (2019)Professor Richard Warner of Chicago-Kent College of Law and Professor Robert Sloan, head of the computer science department at the University of Illinois at Chicago, explore this issue and possible solutions in their new book Why Don't We Defend Better?: Data Breaches, Risk Management, and Public Policy, published in summer 2019 by CRC Press. The book is written in accessible language for anyone interested in data security from a practical or policy perspective. 

In Why Don't We Defend Better?, Warner and Sloan combine issues of technology, business, risk management, and legal liability to explain why data breach defense is often ineffective, and how to respond to the increasing frequency of data breaches. 

“As a society we’re losing money that we shouldn’t lose,” Warner says, “and individual businesses are facing significant loses.” 

The authors propose creating a database—administered by the federal government or an industry group—where companies could anonymously report their data breaches. The information would be selectively available to other businesses and researchers. 

“We don’t have sufficient data on the probabilities of data breaches and sufficient data on the harms, so businesses are paralyzed,” explains Warner, whose research focuses on the regulation of online privacy, security, and competition. He has given lectures on behalf of the United Nations on internet security and on behalf of the FBI on global cybercrime. Warner currently serves as a member of the U.S. Secret Service’s Chicago Electronic Crimes Task Force.

With the information from the database, companies would be better able to calculate the probability of a data breach, to assess the potential losses for themselves and their customers, and to estimate how much to spend on reasonable data security. Lawyers suing or defending a company could use the information to assess the reasonableness of the company’s defensive procedures. 

The book’s message, the authors’ note, has taken on particular urgency with the growth of the internet of things. 

“We think we’re connected now, but the internet of things is a hyper-connected world,” says Warner. “It’s not just your cell phone. It’s your refrigerator. It’s your doorbell. It’s your car. It’s practically every device you have, plus the sensors in the street, the drone surveillance, the data that feeds in. Everything is hyper-connected.”

With more devices—from Bluetooth-controlled locks and security cameras to self-driving cars and traffic lights—connected to the internet, hackers could not only steal data but potentially take control of these devices. 

“Now is the time to have this conversation,” the authors insist. 

 

Contact