On

Fri, Apr 10, 2015 at 11:52 PM, The Conversation

<support@theconversation.com> wrote:

Hi Benjamin Dean,
One of our readers, XXXXX at XXXXXXX, has contacted you via the form on your author
profile on The Conversation.
Their reason for contacting:
Expert Opinion

Their message is:

I have been analyzing data breach costs for some years, and I am skeptical concerning the
math used in this article. Like tracking the finanical net of fraud, business net arguments
often do not tell the cleaner story nor create excellent or astute decison support. Can I
seem more of your math? Since the pending lawsuits for neglegent harm could easily top
17 billion, my math does not track your argument yet.

Do you have insider knowledge of the lawsuits? Is statistical trending of partially
negligent data breaches of credit cards not apply to Target? Is the analysis solely based on
the net of Cyber Insurance? Before I claim that you did not do the math right, it would be
much wiser for me to learn something. Can you help me with the core of your math?

Reference Article quoting you:
http://news.yahoo.com/data-breaches-may-cost-less-194542581.html

Best Wishes,

On Apr 11, 2015, at 11:53 AM, Benjamin Dean < > wrote:

Hi XXXXXX,

You need only go to the respective companies' 10-Q reports to find the data I have
cited. In those reports, each company explains what is included in their estimated
data breach related expenses. Target has got the most detailed breakdown of gross,
net of insurance, net of tax figures.

I don't know where a $17bn estimate could come from. Target's recent settlement of
a class action lawsuit related to the data breach was $10mn. That's significantly less
than even $1bn and suggests that the final legal bill will not be a catastrophic
amount for a company that does $75bn in revenue each year.

Best,


Ben.


On Sat, Apr 11, 2015 at 8:54 PM, XXXXX <XXXXXXX> wrote:
Benjamin,

I have already been through the 10Qs of target and Home Depot some time ago. If I
were to guess, the computations in question only considered the net of the breach
after insurance and the cost of that insurance Year over Year. Yet, since legal and
reputation risk are directly proportionate to the loss experienced by the customer
rather than Target, the actual risk to Target in direct financial terms is
proportionate not to the fines paid to the Credit Card Acquirers for replacing lost or
stolen credit cards, $61 million, but the fraud on those lost or stolen cards.

Being aware of Targets 10Q you know of the 80 pending lawsuits related to the
breach whos costs are not yet accounted for. A group of banks now has standing to
sue Target for liability for fraud against the breached credit cards as it seems
possible to prove Target did not engage in due care over protection of the
cards. Further, even banks which are considered able to understand and take
considerable credit risk may have faced extra ordinary risk even for an informed
risk management team. Thus, the lawsuits are proceeding.

Consider a simple model of the pending financial risk of such a lawsuit. The easiest
being that Target ranges in liability for 5% to 100% liable for consequential credit
card fraud. This is a simple estimate to gauge both consequential legal risk and
reputation risk effects from adversely affected credit card holders.

The lawyers fees of the settlement would be trivial, near 1.2 million so these have
been neglected.

A) Lexis Nexis reports that near 30.1% of persons involved in a data breach face
consequential exploits in 2014. (The California Attorney General has been using
Lexis Nexis consequential exploit statistics as a credible authority in her annual
reports for some years now. This reports will likely have considerable legal weight.)

B) The FBI IC3 studies of reported fraud instances, averages near $1745 across all
50 states this varies somewhat per year but for order of magnitude results,
consider this a first guess. (The FBI Fraud Statistics in its IC3 reports are also noted
for having considerable legal weight.)

Thus, fraud risk per credit card breached can vary buy might reasonably average
near $1745 * 30.1% = $525.24 per breached card.

It is said, that all models are wrong but some are useful. Consider what happens
when $525.24 per breached card as an average fraud loss of citizens at random
across all 50 states meets 40 million breached credit cards.

$500 * 40 million = 20 Billion USD.


From the 10Q of Target, one may see a Cash Flow From Operations near 5.6 Billion
USD.

Thus, if Target were held 100% liable for consequential fraud on the Credit Cards
breached, a hidden number, in the 10Q, the outcome of its 80 lawsuits pending
related to the breach could cleanly eclipse any costs reported by Target so far.

Typically, when a consortium of banks does successfully sue a firm for
consequential fraud of credit cards, it is rare that these hold the merchant 100%
liable unless compelling defects in PCI Compliance factors are involved. Forensic
studies of computers are used as part of liability assignment. Often the Credit Card
Acquires often have just cause for 100% liability assignment but choose not to press
their legal case to harm otherwise mutually profitable uses of credit cards by
customers.

Thus, if Target were to have done a substantially good job protecting it Credit Card
processing systems, it may face a 5% liability assignment should the case of
negligence be proved in court. Yet, cases of 25% and 100% liability assignment are
occurring and often settling out of court by consent decrees.

Consider at 5% liability ruling against Target, which I would judge to be an unlikely
low, but possible legal outcome.
- 20 Billion * 5% = 1 Billion USD

As an investor, reading 10Q statements one realizes that is quite routine for firms to
hold off on reporting on pending litigation and writing the loss off as an
extraordinary one time expense even if the settlement involved time payments,
these can be lumped using NPV computation techniques in a completely GAAP
acceptable manner of corporate accounting.

Thus, reading the 10Q statements I could easily observe that target may not be
telling its investors something that its legal team likely already knows.
Target will likely face another 1 to 20 Billion dollar cost for its breach that is not yet
reported and likely will not settle until 2016.

I hope this helps when considering how a thoughtful analysis of 10Q statements,
legal trending in final settlements of data breach losses and true costing of breaches
might lead me to ask you for further detail.

How is it possible to make policy based on known 10Q commissions of critical data
and unresolved GAAP standards of reporting Data Breach Risk Exposures by firms?

Now that I have shown you a really basic basis for my extended analysis
numbers. Can you please describe whether you used gross cash losses or the net
after insurance cash losses in your analysis? It really is a simple question.


Best Wishes,


On Apr 12, 2015, at 8:55 AM, Benjamin Dean < > wrote:

XXXXXXX,

For Target, the figures I have cited refer to the $248 million of cumulative expenses,
partially offset by expected insurance recoveries of $90 million, for net cumulative
expenses of $158 million. Once the tax deductions are made to these expenses, the
final expenses are $105mn. The table, derived from the 10-Q, can be found in the
original article: https://theconversation.com/why-companies-have-little-incentive-
to-invest-in-cybersecurity-37570#ftag=YHF87e0214

In these 10-Q reports, Target specifically states that, "breach-related expenses may
include costs for reissuing cards, lawsuits, government probes and enforcement
proceedings, legal expenses, investigative and consulting fees, and capital
investments." While we arent given a breakdown of each individual component, we
know that lawsuits are included in the totals.

Has Target decided to delay reporting on its pending lawsuits related to card fraud?
All we can say now is maybe. The only certain losses we know of are disclosed in the
10-Q reports. This is a better basis on which to make policy than extrapolations,
estimations with large ranges and future scenarios without probabilities.

Regarding your estimates - Id like to make a few comments because I too have been
grappling with this same question.

The reason I find $20bn an unlikely number is that, according to the 2013 Federal
Reserve Payments Study, the total card-present and card-not-present fraud for 2012
- across the entire USA and all transactions - amounted to $3.8bn. How could Target
possibly face an impending $20bn bill for card fraud when this figure is 5x more
than the total amount of card fraud that occurs each year?

In terms of the components of your estimate, the average loss is not a good measure
to use here given that fraud losses do not follow a normal distribution. Rather,
theyre closer to a bifurcated distribution where there are a lot of small amounts and
some very large amounts. The median would be a better measure to use. Both the
IC3 and FTC Consumer Sentinel data indicate that the median amount typically lies
between $300-510.

The 30% figure is also not believable when one considers just how hard it is to
commit card fraud. Cormac Herleys paper is a great resource in that it explains the
difficulty in actually committing card fraud at scale (which is what were talking
about with tens of millions of cards). In short, the difficulty lies in the information
asymmetries between fraudster and card holder. Add to this the anti-fraud systems
banks employ to detect anomalous spending patterns (which youve
mentioned). http://research.microsoft.com/apps/pubs/?id=192110


This pattern seems to have emerged. If you take Targets CFO and Visas Chief Risk
Officers word, the extent of the fraud was quite low. For Target brand cards, the
uptick in fraud was 0.1% (I unfortunately dont know the total fraud figures for
Target but this statement would suggest that it is not a large amount). For Visa cards
involved in the breach, the estimate is a fraud rate of 2-5% of all cards related to the
breach.

Id also question whether 40 million is a sensible number to use. Another key detail
is that only, "12 million of these customers lost both payment card data and
personal information in the heist." This is a key number because it tells you how
many card numbers + personal info were stolen. To commit fraud successfully, one
requires both sets of information. The probability of fraud being successfully
committed on these cards is much higher (though not 100%) than the other cards.

(see: http://www.bloomberg.com/bw/articles/2014-03-26/three-new-details-
from-targets-credit-card-breach)

So where does that leave us? In short, were definitely below $1bn in card fraud.

Were sitting on a maximum fraud amount of:

$399 per card * 2-5% of 40 million cards = $319-798 million

Or a mid-range estimate of:

$399 per card * 5% of 12 million cards = $239 million

Or a floor of:

$399 per card * 2% of 12 million cards = $95 million

Each one of these numbers can be multiplied by the amount that Target is held
liable for (5-100%) and you are not reaching $1bn.

This all looks consistent with Targets disclosures to date. Id like to repeat
something here - because I think we both agree - that for policy decisions to be
made we require reliable, verifiable estimates. Something Ive discovered in the
course of all this work is how opaque the whole cost accounting is for data breaches.
I trust you understand the difficultly in making definitive statements in what is a
very opaque environment. I prefer to use data relating to actual losses, though there
arent many out there. Most prefer to use estimations, extrapolations and - in the
worst instances - pure speculation. I hope my little piece contributes in some way to
a larger conversation about the real risks involved in data breaches and cyber-
security more generally.

Best,

Ben.




On Mon, Apr 13, 2015 at 1:59 AM, XXXXXXXXXX <XXXXXXXXXX> wrote:
Benjamin,

Thanks for input to the original question. Do you have a sighted reference on
maximum CC fraud. I have never found a reliable one and often the pull for data
amounts to a smoke and mirrors estimate.

Lexus Nexis statistics are pulled from actual fraud data. Most measured T-tests do
not support substantial differences between private reports of fraud vs fraud
reported to the authorities, so good public sources will do. If you find such numbers
unreasonable, can you site a more reasonable, pure data based source?
Most public authorities point back to Lexis Nexis for their assessments. So, I am
afraid the 30.1% number is from a sample size large enough to justify a 95%
confidence interval on those 3 digits. The number gets re-measured each year and
so may move on a Year over Year basis. There is enough data for a small sample
year over year trend line, but it does not yet meet my standards, though in the next
few years it likely will.

There is plenty of work for all concerned in the supply and demand area of
vulnerability vs attacker behavior. In this area, Medical Payment and Medical
Identity impersonation is actually less regulated and is presently commanding
higher fence prices for stolen data.

Still, I am quite sure that the most recent lawsuit pending for Target already has
passed a review for legal standing. This means there is credible reason to assert
negligence and there is actual harm beyond the numbers already stated by Target.




Best Wishes,

Benjamin Dean < >

To: XXXXX <XXXXXXX>

XXXXX,

The reference I cited is the 2013 Federal Reserve Payments Study.

The full report is available here:
https://www.frbservices.org/files/communications/pdf/general/2013_fed_res_pay
mt_study_detailed_rpt.pdf

The methodology section is extensive and explains all you need to know about how
the estimates are generated. From p89-90:

The 2013 DFIPS estimates were based on data reported by a stratified random
sample of depository institutions... The respondents selected were sampled from the
population of insured depository institutions in theUnitedStates,including
creditcardbanks.61 The population included commercial banks, state-chartered and
federally chartered savings institutions, and credit unions. Domestic branches of
foreign-owned banks were not sampled.

Ben.