Weighing Pros, Cons of Reporting Breaches to AuthoritiesWorking with Law Enforcement Pays Off, DoJ Officials Say
Simply, the more financial damage prosecutors can show a judge a convicted hacker caused at sentencing, the more time the digital criminal will send behind bars.
That was the message sent to lawyers attending a cybersecurity law conference at Seton Hall University Law School on Wednesday by a panel of federal prosecutors and FBI cybercrime experts. Too often, the experts said, corporate victims of cybercrimes want to hide or minimize their losses because they feel public knowledge would damage their corporate reputation and stock price. That's a mistake the panelists said.
These data breaches are more like shoplifting nowadays; they are run of the mill; they happen all of the time.
Erez Liebermann, chief of the computer hacking and intellectual property unit for the U.S. attorney's New Jersey district, pointed out that despite a big hit in Heartland stock after the breach became public, its stock price rebounded in a year. And, he said, because of the size of the breach, Heartland was an exception. The doomsday scenario that breaches will bankrupt companies is not true. "These data breaches are more like shoplifting nowadays; they are run of the mill; they happen all of the time," Liebermann said. "And, if companies start to report them more often, they wouldn't make any news, frankly, because shoplifting and bank robberies barely make news."
To support his point, Liebermann said he looked at the per-share stock price of Lockheed Martin, a victim of a highly publicized data breach that occurred in late May (see RSA: SecurID Hack Tied to Lockheed Attack). In April, a month before the breached became public, Lockheed Martin stock traded in the mid-$70 range; this past week, the stock traded at the same level.
"So when the general counsel or CEOs of CFOs say, 'We're not reporting this. You Mr. IT, the guy in the company, I know you discovered it, but I'm not going to let you call the FBI because it will kill the company.' You tell them that's simply not true. Maybe it was one day, but it's not today. The (stock) cost of data breaches are simply non-existent anymore. You need companies to start realizing that so that paralyzing fear is not taking hold."
Even when organizations immediately contact law enforcement, hard choices must be made between conflicting interests. Victims want to plug holes in the system immediately so further information isn't leaked; law enforcers want the holes to remain open in hopes of catching the infiltrators.
Liebermann related a case in Detroit in which cyberthieves infiltrated the computers of the home improvement retailer Loews through a Wi-Fi network to steal credit card numbers. Despite potential further losses - and liability - of allowing more numbers to be pilfered, Loews agreed not to shutdown the system. Instead, Loews lowered the power on the Wi-Fi signal, and an alert FBI agent noticed a nearby car inching closer and closer to the Loews' building. Authorities arrested the occupants, who were sentenced to nine years in jail for the hack.
"I don't think that was an easy decision to keep the hole open. It may expose (the company) to greater litigation, but at the same time, you really want to catch the guy, you really want to know what your exposure has been, Liebermann said. "It's really brave when a company says, 'We really want to catch the bad guys.' The reality is, and I think Sony may be experiencing this now, if you don't stop, they are going to come back again and again and again."
Breaches have become the norm, and organizations working with law enforcement should become standard practice, no ifs, ands or buts.