Monthly Archives: November 2015

Is your company ready for a big data breach? Only one-third say they are

Larry Ponemon

Larry Ponemon

With data breaches continuing to increase in frequency and severity, it comes as no surprise that businesses are acknowledging this risk as a top concern and priority. Nearly half of organizations surveyed report having a data breach involving the loss or theft of more than 1,000 records containing sensitive or confidential information in the past two years. And the frequency of data breaches is increasing. Sixty-three percent of these respondents report their company had two or more breaches in the past two years.

However, the enclosed findings from our Third Annual Study: Is Your Company Ready for a Big Data Breach sponsored by Experian® Data Breach Resolution, illustrate that many companies still lack confidence in their ability to manage these issues and execute their data breach response plan. We surveyed 604 executives and staff employees who work primarily in privacy and compliance in the United States.

ready for breachSince 2013, we have tracked changes in how confident companies are in responding to a data breach. This year, we took our analysis a step further by digging into what companies are specifically including in their data breach response plans to get to the root cause of why their confidence is lacking and the areas where they struggle to follow best practices.

As shown in Figure 1, of the 81 percent of respondents who say their company has a plan, only 34 percent say these plans are very
effective or effective. This is a slight increase from 30 percent in 2014. Thus, major gaps remain in how they are comprehensively preparing for a data breach.

Specifically, organizations aren’t taking into account the full breadth of procedures that need to be incorporated in the response plan
and aren’t considering the wide variety of security incidents that can happen. The good news is some of the barriers to addressing
those issues can be easily solved.

Some of the key findings we uncovered from this year’s survey include:

Data breaches are more concerning than product recalls and lawsuits. A majority of business leaders acknowledge the potential damage data breaches can cause to corporate reputation is significant. They ranked a data breach second only to poor customer service and ahead of product recalls, environmental incidents and publicized lawsuits. The combination of the higher likelihood and significant impact has caused data breaches to be a major issue across all sectors.

Data breach preparedness sees increased awareness from senior leadership. Boards of directors, chairmen and CEOs have become more involved and informed in the past 12 months about their companies’ plans to deal with a possible data breach. In 2014, only 29 percent of
respondents said their senior leadership were involved in data breach preparedness. This year, perhaps due to recent mega breaches, 39 percent of respondents say their boards, chairmen and CEOs are involved at a high level. Most interesting is their participation in a high level review of
the data breach response plan in place increased from 45 percent to 54 percent of respondents.
Significant increase in response plans over three years. As discussed above, this year more companies have a baseline data breach response plan in place. Since first conducting this study in 2013, the percentage of organizations that reported having a data breach response plan
increased from 61 percent to 81 percent. However, it is surprising that still not all companies are taking the basic step of developing a data breach response plan.

Many are still struggling in terms of feeling confident in their ability to secure data and manage a breach. Figure 1 above shows only 34 percent of respondents say their organizations’ data breach response plan is very effective or effective. Despite increased security investments and incident response planning, when asked in detail about the preparedness of their
organization, many senior executives are not confident in how they would handle a real-life issue.

Following are reasons for rating these plans as not as effective as they should be:

  • Forty-one percent of respondents say their organization is not effective or unsure about the effectiveness of their data breach response plan.
  • Only 28 percent of respondents rate their organization’s response plan as effective in reducing the likelihood of lawsuits; and only 32 percent rate their response plan as effective for protecting customers.
    Executives are concerned about their ability to respond to a data breach involving confidential information and intellectual property.
  • Only 39 percent report they are prepared to respond to this type of incident.
  • Only 32 percent of organizations report they understand what needs to be done following a material data breach to prevent negative public opinion.
  • Only 28 percent of organizations are confident in its ability to minimize the financial and reputational consequences of a material breach.

Fine print alert: Hey kids! Your parents have read and agreed to this, right? (wink)

Hey parents! You won’t believe the contracts your kids have been roped into.

Like a fine print virus spreading quickly around the globe, under-aged teen-agers are suddenly being shrink-wrapped into contracts of dubious enforceability all around the web. The situation highlights a conundrum for companies targeting the 13-17 crowd: how to set rules with minors who generally can’t actually consent to contract terms, and almost certainly don’t get their parents’ permission to do so.

Snapchat changed its terms of service recently, attracting a lot of attention. While most of it was focused on the company giving itself virtual ownership over content posted on the service, something else in the terms caught my eye.

“By using the Services, you state that: You can form a binding contract with Snapchat—meaning that if you’re between 13 and 17, your parent or legal guardian has reviewed and agreed to these Terms.”

Well, really it caught privacy lawyer Joel Winston’s eye. He called it to my attention.

Let me take a guess and estimate that of Snapchat’s roughly 100 million users, most of them minors, perhaps 43 or so have shown those terms to their agreeable parents.  In other words, if your kid uses Snapchat, he or she has almost certainly lied about you to the company, all in the name of forming a contract – of sorts.

Winston had a different problem with the language.

“A minor cannot declare herself competent to sign a binding contract that would otherwise require consent from an adult,” he said.  There are some exceptions to that, which we’ll get to.  But the headline point remains.  Generally speaking, contracts with minors aren’t really contracts.

So what’s this language doing in Snapchat’s terms of service?  It’s not just Snapchat. That very language appears in lots of kid-focused services, like Skout (a flirting tool), THQ (a game site), and even (an animal rights site.)  Similar terms appears across the Web.

Snapchat certainly is a leader in the 13-17 space, however.  I asked the firm to comment about its terms.  It declined.

When I ran Snapchat’s terms by Ira Reinhgold, executive director at the National Association of Consumer Advocates, he was aghast.

“Why did they do this, to frighten people into not suing them?” he said, rhetorically.  “I cannot imagine any court would find this binding.  No lawyer worth his salt would think this would think this is going to stick…a youngster cannot consent.”

Maybe…and maybe not. Last year, a California court actually did rule that, in some circumstances, terms of service are enforceable against minors. That case involved Facebook’s use of member photos in “Sponsored Stories.” Facebook’s terms at the time provided for what amounted to a publicity rights release, and the plaintiffs in the case argued that release was unenforceable. A judge sided with Facebook.

To put a fine point on it, minors can agree to certain kind of contract terms (that allow them to work, for example), but such contracts have a unique status and can be voided at any time by the minor.  Because the plaintiffs in the case continued to use Facebook, they had not voided their contract, and therefore Facebook was protected by the agreement.

“This is a big win for all online services, not only Facebook,” wrote Eric Goldman in a blog post about the case.

The situation highlights the unique problem of dealing with children over 13 but under 18 Goldman, said to me.

“Snapchat may have legally enforceable contracts with minors. Contracts with minors are usually ‘voidable,’ meaning that the minor can tear up the contract whenever he/she wants. However, until the minor disaffirms, the contract is valid. And in the case of social networking services, the courts have indicated that minors can disaffirm the contract only by terminating their accounts, meaning that the contract remains legally binding for the entire period of time the minor has the account,” he said. “As a contracts scholar, I can understand the formalist logic behind this conclusion, but it conflicts with the conceptual principle that minors aren’t well-positioned to protect their own interests in contract negotiations.”

On the other hand, the solution might be worse than the problem itself.

“The counter-story is that most online services don’t have any reliable way to determine the age of their users, and an adhesion contract that works unpredictably on only some classes of users isn’t really useful. And I don’t think anyone would favor web-wide ‘age-gating’ as the solution to that problem,” he said.

Of course, the problem isn’t just the existence of a contract, but what the terms of that contract might be, and whether a minor is capable of understanding and consenting to its terms.  Winston is concerned with what comes after the “parental promise” section in Snapchat’s contract: a binding arbitration agreement and class action waiver. (That’s the kind of waiver the Consumer Financial Protection Bureau is about to ban.)

“All claims and disputes arising out of, relating to, or in connection with the Terms or the use the Services that cannot be resolved informally or in small claims court will be resolved by binding arbitration,” the terms say. “ALL CLAIMS AND DISPUTES WITHIN THE SCOPE OF THIS ARBITRATION AGREEMENT MUST BE ARBITRATED OR LITIGATED ON AN INDIVIDUAL BASIS AND NOT ON A CLASS BASIS.” (Snapchat’s CAPS, not mine)

As Winston sees it, not only is Snapchat requiring a minors to agree to a contract, it’s requiring them to surrender their rights to have their day in court.

“I would certainly be very interested to read any legal ruling that enables a 13 year old to agree that she will ‘waive any constitutional and statutory rights to go to court and have a trial in front of a judge or jury,’ “ he said, echoing the terms.  “I am not currently aware of any case law that enforces a mandatory binding arbitration clause against an adult parent based on the purported ‘consent’ of her minor child.”

Were those terms to survive a court challenge, and if Snapchat tried something like Sponsored Stories, Snapchat’s minor users would have waived their rights to join a class action against the firm.

In the end, you might be wondering why parents – or kids – might want to argue with Snapchat anyway? Winston leaps at a chance to answer that.

“The Snapchat TOS contract is relevant because the company is actively collecting personal data from millions of children. That includes device phonebook, camera and photos, user location information (from) GPS, wireless networks, cell towers, Wi-Fi access points, and other sensors, such as gyroscopes, accelerometers, and compasses,” he said. “It’s also relevant because Snapchat is sharing user data from millions of children with third-parties and business partners for the purpose of advertising and monetization.”

I’m not one to give parents more homework, and I hesitate to advise you to try to read all the terms of service agreements to every app on your child’s phone.  But it might be a good learning moment to ask your kids what they’ve told tech companies about you — and find out what you’ve agreed to.