As the financial sector has gotten better at dealing with data breaches of payment card information, criminals have increasingly switched their focus to other targets. But the shift of large-scale data breaches to increasingly target non-financial data (that is, data other than payment card numbers and bank account credentials) has rendered long-standing strategies for mitigating the damage of these breaches ineffective. This paper explores avenues of ex-post defense and damage mitigation that apply to emerging types of data breaches that target non-financial data, including medical records, personal communications, and personnel records. The central research questions it aims to answer are: How do the costs of non-financial data breaches differ from those of financial data theft, and in the aftermath of breaches of non-financial data, what has been and can be done to protect victims from harm even after their data has been stolen? To answer this question, we analyze case studies of three organizations targeted in breaches of non-financial data reported in 2014 and 2015: the US Office of Personnel Management (OPM), Sony, and the health insurance company Anthem. We review the different ex-post mitigation strategies undertaken following each incident and discuss the reasons certain types of harm — including identity theft and fraud — provide many more opportunities for ex-post mitigation than other types of harm, such as humiliation and espionage. For each of these classes of harm, we discuss how defenders may try to limit the extent of those harms using mechanisms that fall into five broad categories of ex-post mitigation strategies: (1) limiting the value of stolen information to criminals, (2) drawing attention to the theft and thereby limiting the longevity of stolen information, (3) shifting or limiting liability and insulating specific classes of victims from harm, (4) limiting the spread or transfer of stolen data, and (5) identifying, arresting, and prosecuting the perpetrators.
Wolff, Josephine and Lehr, William, Ex-Post Mitigation Strategies for Breaches of Non-Financial Data (March 30, 2016). TPRC 44: The 44th Research Conference on Communication, Information and Internet Policy 2016. Available at SSRN: https://ssrn.com/abstract=2756842 or http://dx.doi.org/10.2139/ssrn.2756842