Ex-Post Mitigation Strategies for Breaches of Non-Financial Data

25 Pages Posted: 31 Mar 2016 Last revised: 13 Aug 2016

See all articles by Josephine Wolff

Josephine Wolff

Fletcher School, Tufts University

William Lehr

Massachusetts Institute of Technology (MIT) - Computer Science and Artificial Intelligence Laboratory (CSAIL)

Date Written: March 30, 2016


As the financial sector has gotten better at dealing with data breaches of payment card information, criminals have increasingly switched their focus to other targets. But the shift of large-scale data breaches to increasingly target non-financial data (that is, data other than payment card numbers and bank account credentials) has rendered long-standing strategies for mitigating the damage of these breaches ineffective. This paper explores avenues of ex-post defense and damage mitigation that apply to emerging types of data breaches that target non-financial data, including medical records, personal communications, and personnel records. The central research questions it aims to answer are: How do the costs of non-financial data breaches differ from those of financial data theft, and in the aftermath of breaches of non-financial data, what has been and can be done to protect victims from harm even after their data has been stolen? To answer this question, we analyze case studies of three organizations targeted in breaches of non-financial data reported in 2014 and 2015: the US Office of Personnel Management (OPM), Sony, and the health insurance company Anthem. We review the different ex-post mitigation strategies undertaken following each incident and discuss the reasons certain types of harm — including identity theft and fraud — provide many more opportunities for ex-post mitigation than other types of harm, such as humiliation and espionage. For each of these classes of harm, we discuss how defenders may try to limit the extent of those harms using mechanisms that fall into five broad categories of ex-post mitigation strategies: (1) limiting the value of stolen information to criminals, (2) drawing attention to the theft and thereby limiting the longevity of stolen information, (3) shifting or limiting liability and insulating specific classes of victims from harm, (4) limiting the spread or transfer of stolen data, and (5) identifying, arresting, and prosecuting the perpetrators.

Keywords: data breaches, economics of information security, ex-post mitigation, cyber defense, cyber security

Suggested Citation

Wolff, Josephine and Lehr, William, Ex-Post Mitigation Strategies for Breaches of Non-Financial Data (March 30, 2016). TPRC 44: The 44th Research Conference on Communication, Information and Internet Policy 2016, Available at SSRN: https://ssrn.com/abstract=2756842 or http://dx.doi.org/10.2139/ssrn.2756842

Josephine Wolff (Contact Author)

Fletcher School, Tufts University ( email )

160 Packard
Medford, MA 02155
United States

William Lehr

Massachusetts Institute of Technology (MIT) - Computer Science and Artificial Intelligence Laboratory (CSAIL) ( email )

Stata Center
Cambridge, MA 02142
United States

Here is the Coronavirus
related research on SSRN

Paper statistics

Abstract Views
PlumX Metrics