The Cost of Computer Crime

What does a computer crime cost? This is not an easy question to answer. If a Web page of a brick-and-mortar business such as a lumber store is attacked and taken offline, the damage will be significantly different than the damage suffered by a bookseller that does business exclusively online. There are many reasons that organizations should consider estimating the cost of damages inflicted as a result of unlawful or abusive behavior impacting their IT resources:

  • Recovery of damages from the criminals and other types of unlawful behavior

  • Recovery of damages from malicious employees, contractors, and former employees

  • Criminal prosecution

  • Administrative actions such as employee suspensions, censures, and dismissals

One generally accepted loss concept is that of calculating the actual financial impact of repairing the damage and restoring the system. These are relatively simple numbers to capture; however, when considering the damage resulting from lost reputation in the marketplace, things become more difficult. What about costs resulting from marketing to recover that reputation? And, what about missed sales opportunities? Can lost employee productivity be captured and calculated as damages? These are issues that are not clearly defined in the law and, for the most part, there is not much in the way of case law.

Challenging these questionable losses is addressed under the legal concept of "proximate causation." In effect, this means that if the loss of a sales opportunity was directly attributable to an attack, it would be more material to the organization's losses than if the organization's market reputation were damaged as a result of the attack. It is a matter of evidence showing that financial losses were a direct result of unlawful acts.

Estimating the damages resulting from the theft of trade secrets and intellectual property is also a point of legal contention. Arriving at the value of combinations of tangibles and intangibles is challenging. Including the costs of research and development, and calculating the cost of the trade secret is fairly simple; but what of the potential profits realized as a result of the product being released? How are those revenues estimated?

One of the most successful methods is that of licensing fees. If a competitor received stolen intellectual property or trade secret information that she otherwise would have needed to license before using, then the loss is the amount of the licensing fee and profits realized by the competitor directly attributable to the stolen information.

Effectively, corporations have four basic options that might be pursued when they have been victimized by attacks:

  1. Conduct an internal investigation with the goal of pursuing civil action against the attacker.

  2. Conduct an internal investigation with the goal of pursuing administrative action by dismissing, censuring, or suspending the offending employee.

  3. Report unlawful acts to law enforcement authorities, thereby complying with applicable laws and regulations.

  4. Do nothing hoping that legal and regulatory authorities and stakeholders do not discover the attack.

There are many reasons not to report an attack:

  • Loss of share price

  • Embarrassment

  • Senior managers may fear dismissal

Many companies choose not to report unlawful acts because the business may find itself incurring substantial legal expenses with little to show for it. Some senior managers have the attitude that if an attacker gains unauthorized entry, even many times, he will likely receive a minimum sentence without monetary fines. While this might be the case, they ignore the opportunities of publishing the attacker's apprehension and punishment. Further, they can present civil actions against the attacker and obtain sizable penalties, publicizing the fact that attackers are going to receive vigorous prosecution. The objective of such legal actions is to convince other potential attackers that the named organization is not going to stand still for being attacked.

Challenges mount and attitudes are forced to change when a company discovers regulations and laws requiring the reporting of suspicious or material events:

  • Publicly traded corporations are required to report material events affecting their business operations.

  • Publicly traded corporations are required to safeguard assets at the risk of being sued by government agencies and stakeholders.

  • Financial institutions, insured by federal insurance agencies, are required to report suspicious activities within 30 days of their discovery.

Title 18 U.S. Code Section 4 requires reporting of crimes over which the United States government has jurisdiction, by individuals who have knowledge. Failing to do so can result in felony prosecutions.

0 comments:

Popular Posts