By Ceri Coburn, CTO, Fortium Technologies –
Equifax suffered the worst data breach ever recorded in terms of monetary and reputational loss — at least this was true at time of writing. If it seems odd to say that “only” 146.6 million individuals had sensitive data stolen from Equifax’s servers – consider that number is significantly smaller than the whopping 1.5 billion Yahoo! accounts breached between 2013 and 2016.
There are many reasons to conclude why the Equifax breach is very possibly the worst leak of personal info ever: the personal data stolen was perfect for identity thieves, with names, addresses, social security numbers, driver’s license and passport numbers, all included.
Since then, Facebook has confirmed that it “lost” users’ personal data thanks to a bug in its authentication systems, but has been unable to reveal which accounts, and what data. I guess that’s a bit like losing your car keys for a car you didn’t realize you had?
With potential General Data Protection Regulation (GDPR) ramifications looming from the EU, Facebook could face a fine of 4 percent of global turnover — this was S40 billion in 2017 — so potentially we’re looking at a fine of over $1 billion, depending on the aftermath and how Facebook handles this.
We have also heard about a recent data breach at Uber, which involved a $100,000 cover-up to buy off the 17-year-old who discovered the exposed details of its driver network. Fast forward 18 months and this flouting of the rules was not greatly appreciated by the authorities, leading to Uber being fined over $148 million (about 4 percent of yearly revenue in 2017, perhaps taking a cue from the European regulations mentioned above).
“This is one of the most egregious cases we’ve ever seen in terms of notification,” Lisa Madigan, the Illinois attorney general, said to the Associated Press in late September. “And we’re not going to put up with companies, Uber or any other company, completely ignoring our laws that require notification of data breaches.” I hope Facebook chairman Mark Zuckerberg is paying attention to that last line!
In M&E, sales losses outweigh fines
What has this got to do with M&E? First the numbers marked above are a bit of a red herring. The largest fines from data breaches are often 4 percent of revenue, as previously stated. But we know that pre-release leaks of movie content average out to a 19.1 percent fall in box-office takings, thanks to a study by Carnegie-Mellon back in 2014. That’s worse than the highest possible fine a company can receive for misplacing personal data with GDPR. We should be looking at “media leaks” or “media breaches” from now on – and these have a much more significant impact than data being lost.
Also bear in mind that 19.1 percent is an average for a media breach; Expendables 3 was infamously leaked two weeks before the box office launch. Its box office takings were over 50 percent less than its predecessor, which equates to a $46 million like-for-like loss.
A company’s response to a data breach can often mitigate any potential fines – Uber’s fine was so high because of its dishonesty in reporting. For a media breach, the response would most likely depend on how efficiently the content owner or distributor can get pre-release content removed from illegal channels.
While strides have been made in this area, thanks to forensic watermarking and auditing technologies, it still is a reactive measure. If the leak has not been stopped at its source, the symptoms merely are being treated while the potential for another accident looms.
Money well spent
More reliable cybersecurity investment is needed: this should be spent on proactive measures, like file encryption of at-rest software to keep files secure against accidental or targeted training. We can then close potential loop holes for at-risk individuals or perceived security gaps in the supply chain. During the IBC Cyber Security Conference in September, talk centered on how individuals who aren’t involved day-to-day in security need to start realizing security measures are put in place to protect their jobs and reputation.
No one wants to be the one responsible for a media breach, so empowering employees within post-production, localization and marketing to protect themselves, through either software tools or increased training, is a sensible approach.
The psychology around cybersecurity is beginning to change – it isn’t a cost to your work productivity or a percentage point sapped away from the budget. Every dollar allocated to cyber security that prevents a media leak is also going to be saving time, money and resources.
* Jobs, at all levels. CEOs at the time of high-profile data leaks have been pushed out, or sacked, along with employees lower down the ladder.
* Retaining staff and staff morale. Would your staff be comfortable firefighting a potential leak? Seeing your own creative output stolen cannot be a good feeling.
* Recruiting staff. If staff do leave, how easy can you recruit the best talent if negative PR surrounds a recent project?
* Long-term reputation. Can you keep all business relationships and contracts secure, if a media leak happened on your watch?
* Rescheduling of marketing plans. How quickly can you turnaround the trailer you wanted to release, not the watermarked version that has appear on YouTube, a few weeks earlier than planned?
* Cold hard cash. It’s better to be safe than sorry.
All companies, big and small, across all industries, are realizing that specific cybersecurity investment is needed to help they stay secure. It isn’t a debate anymore; it’s a realization being made by decision makers across the globe. The savings, monetary or otherwise, are too big to ignore.