Page 52 - index
P. 52
(!2 1 2(% 03% .12 .& ! !2! %!*
By Jonathan Cogley, CEO, Thycotic Software
An excruciating legal saga came to a close in May 2014, when former EnerVest IT administrator
Ricky Joe Mitchell of West Virginia was sentenced to four years in a federal prison for his
intentional sabotage of his employer’s network. He was also ordered to pay $428,000 in
restitution and $100,000 in fines.
As court documents showed, when Mitchell heard that his job with the oil and gas company was
on the chopping block, he didn’t go quietly; instead, he reset the company's servers to their
original factory settings and disabled cooling equipment for EnerVest’s systems, along with a
data-replication process.
As a result, EnerVest was unable to communicate reliably with customers or conduct business
operations for a full month and was forced to spend hundreds of thousands of dollars on data
recovery efforts. The incident cost the company over $1 million, according to the prosecution.
Assessing the damage: Reputation and beyond
When tallying the costs associated with a data breach, most organizations look at the potential
loss of intellectual property and short-term and long-term damage to their systems, as well as
remediation and forensic costs required to identify and prosecute the cybercriminal responsible.
Organizations should also factor in the cost associated with reputation damage, which may
harm revenue, as well as any industry fines they may incur.
Depending on the nature of the breach, the company itself might even face prosecution. These
costs can be sizable and some are difficult to fully quantify, especially damage to the company
brand. As the recent Target breach demonstrated, fallout from these types of attacks can
quickly tarnish the careers of IT executives, resulting in CISOs or CIOs being forced to step
down.
However, in addition to all of these, organizations now must consider punitive damages brought
about by any legal proceedings of those affected by data breaches. For example, the class
action lawsuit against health insurance provider AvMed presents some sobering implications for
companies who have experienced a breach involving their customers’ information.
In the $3 million settlement, 460,000 individuals whose personally identifiable information was
exposed are being compensated, even though they did not experience identity theft themselves.
They did not have any of the demonstrable damages typically required for any sort of
remunerative relief in class action suits. Instead, they are being compensated on the basis that
their insurance premium was overpriced due to the expectation that some portion of the
premium would be spent on data security, and the breach shows that didn’t happen. In this
! " $
! # ! "
