Managing e-business risk to mitigate loss: along with the speed and convenience of e-business come new risks, such as identity theft and cyberextortion. Technology has increased the amount of confidential information at risk, and can exacerbate financial and reputational loss.

• Author: Foster, Peter C.
• Position: Risk management

Between February and the end of April, more than 3 million personal data records have been reported lost or stolen due to security breaches. The U.S. Congress is holding hearings on the concern over unauthorized access to confidential information and, in some cases, the failure to notify affected consumers of such a breach in a timely fashion. Not surprisingly, the plaintiffs' bar has taken notice of potential class-action tort litigation associated with these events.

[ILLUSTRATION OMITTED]

Welcome to the reality of e-business--which, while convenient, poses such threats as identity theft, cyberextortion and more. Businesses need to be aware of a host of these new cyber threats and how to mitigate the repercussions of such events.

For starters, businesses should understand the financial and reputational risks that may be associated with the disclosure of a security/privacy breach and take the necessary steps to mitigate the risk and potential loss. Key issues to consider in light of an actual or potential security breach of confidential information include:

* Will consumers form a class-action suit?

* Will banks and credit card companies demand that companies pay them millions of dollars, as banks incurred such costs to reissue credit cards to the consumers?

* Will directors and officers be sued by stakeholders alleging that lax internal controls over IT processes led to a fraud and caused millions of dollars in direct losses, brand damage and a drop in the stock price?

* Will a company's network and IT infrastructure be able to recover quickly and provide functions that will support the business applications and customers?

* Will an extortionist threaten to post the confidential information on the Internet for all to see unless paid tens of thousands of dollars?

* Will a company be able to restore consumer confidence?

Identity Theft

In March 2004, a major retailer alerted its 8 million customers that "a small fraction" of them (it couldn't pinpoint which ones) may have had their credit card information stolen. The company released little detail on how the information was stolen, but admitted the cost was significant--as much as $16 million. The U.S. Secret Service has since said the case may be tied to an international identity-theft ring. More than a dozen banks filed claims against the retailer, seeking restitution for fraudulent purchases made with its customers' cards and for the costs associated with reissuing hundreds of thousands of credit cards.

The Federal Trade Commission (FTC) considers identity theft the fastest-growing crime in the U.S., estimating it affected more than 27 million Americans between April 1998 and April 2003; nearly 10 million individuals were affected in 2003 alone. The FTC reports that...