[BreachExchange] Neiman Marcus data breach settlement tells us plenty about the ROI of security

Mon Apr 3 18:35:29 EDT 2017

http://www.computerworld.com/article/3186285/retail-it/
neiman-marcus-data-breach-settlement-tells-us-plenty-
about-the-roi-of-security.html

There is a security ROI dance in retail today. Executives know that they
can skimp on security and have a statistically decent chance the company
won't get caught by a cyberthief before someone else has their job. The
only way that security has a chance of achieving a reasonable ROI is if the
pain that results from a breach is massive. It rarely is, as the recent
data breach settlement from Neiman Marcus illustrates only too well.

Back in January 2014, Neiman Marcus announced a data breach, even though it
had known about it for roughly a month. The chain initially reported that
the attack — which happened in 2013, between July 16 and Oct. 30 — impacted
1.1 million customers, a number that the retailer later reduced to 370,385.
About 9,200 shoppers experienced actual fraud.

The company settled a class-action lawsuit for $1.6 million, much of it
covered by insurance. And even that may be more than it ends up paying.
Shoppers — many of whom will not even learn of the settlement — need to go
through an elaborate paperwork process to apply for a tiny share of that
money.

Neiman Marcus hardly has an incentive to make its shoppers aware. The
amount slated for consumers is just one-fourth of that amount, $400,000,
with the rest going to attorneys' fees and expenses. (The fact that 75% of
this consumer settlement isn't going to consumers is a topic for another
day.)

>From the settlement filing: "In the event that the Settlement
Administration Charges amount to less than Four Hundred Thousand Dollars
and No Cents ($400,000), Neiman Marcus will retain the difference between
such Settlement Administration Charges and Four Hundred Thousand Dollars
and No Cents ($400,000)." In other words, if an insufficient number of
shoppers successfully apply for the money, the retailer gets to pocket the
difference. That's an impressive reverse incentive.

The most interesting part of the Neiman Marcus settlement filing is where
the retailer lists a bunch of things it has done to improve its security
post-breach. Before we delve into that list, it's important to note that
this is all part of the poor ROI structure for security matters. Even when
a retailer has horrible security, it can be comforted by the fact that it
can catch some slack if it improves it post-breach.

This forces the question: How much did Neiman Marcus improve security
post-breach? And how meaningful were those changes?

The first item the chain listed was this: "Neiman Marcus created and filled
the position of Chief Information Security Officer (CISO), an executive
position with responsibility to coordinate and be responsible for Neiman
Marcus’s program(s) to protect the security of customers’ Personal
Information."

Wait a second. A $5 billion retailer did not have a CISO before? I love how
the chain is taking a bow for creating this role and hiring someone. But
what authority will the CISO have? Can he or she block any initiatives that
don't pass security guidelines? Hiring a CISO doesn't help much if that
officer isn't listened to, any more than hiring a chief counsel will, on
its own, prevent lawsuits from being filed and won.

The chain also touted hiring people for a new information security
organization. And then there's this: "Neiman Marcus increased the frequency
and depth of reporting to its executive team and members of its board of
directors about its cybersecurity efforts and the cybersecurity threat
landscape."

This, again, sounds encouraging until you realize what's missing. Having
senior management aware of security issues is great, but it won't help much
if management isn't willing to do what security requires, such as providing
adequate security funding and enforcing workflow processes such as having
security sign off before a project is deployed (that should include a
willingness to torpedo potentially profitable initiatives if security can't
adequately protect them).

Then Neiman Marcus touted this accomplishment: "Neiman Marcus equipped all
of its Stores with devices that allow customers to pay for purchases using
payment cards containing embedded computer chips."

Really? Complying with years-old card-brand requirements for accepting EMV
is something to tout? Yes, it's a slight security improvement, but it
wouldn't have done much to avert this breach.

Neiman Marcus also tossed in this one: "Neiman Marcus invested in a new
tool to automatically collect and analyze logs generated by Neiman Marcus
systems for potential security threats." No indication of what the tool is,
not that it makes any difference. And that's the whole point.

I am confident that multiple IT people at Neiman Marcus had flagged
security shortcomings before the breach. Having mechanisms in place to
identify a potential problem does little good if senior management chooses
not to act on it.

What if the chain put real power into the hands of professional security
executives? I am routinely amazed by how much power senior management is
willing to give its financial executives and investor relations over what
to report to the SEC and Wall Street, compared with how little power they
give IT and security executives over IT and security matters.

Putting people and tools in place is nice. Giving those people actual power
is very different.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170403/f8f01f6f/attachment.html>