The risks inherent in the Internet of Things (IoT) are becoming better known. The denial of service attack launched using the Mirai botnet consisting of hundreds of thousands of IoT devices is a good illustration of what can happen as a result of such devices being insecure. I read about an example today that brings the risk closer to home.
A casino reportedly had its database of high rollers breached by hackers that accessed the casino’s network through a networked thermometer in its lobby aquarium. While I don’t know what information was in the database, it is easy to imagine that the breach could trigger an obligation to notify the affected individuals.
If you’re a casino, and you have to tell your best customers that their personal information has been breached, you are going to have a really bad day.
There are lots of system security lessons that you can draw from a situation like this. I’m not the guy to teach them though. Instead, let’s look at the financial aspects of an event like this.
The casino undoubtedly had to hire forensic investigators to determine how the breach happened. The casino probably had to retain legal counsel to assess whether it had to notify the high rollers about the breach. The casino might have decided to provide credit and identity monitoring to the individuals. If the breach became public the casino might have had to bring in public relations consultants to help manage communications about the event. The high rollers could have sued the casino. It’s also possible an event like this could spark the interest of regulators who might launch an investigation the casino would have to respond to. All of that could be expensive.
The good news is that all of that would be covered under a good cyber insurance policy. The bad news is that there could be more significant losses that wouldn’t be covered.
The casino’s best customers could decide to play elsewhere because they no longer trust the casino’s management of their personal information. That could adversely impact the casino’s business and reduce its revenues for a significant period of time. Such reputational loss would not be covered under most cyber policies. It is possible to find that coverage, however.
It’s easy to look at an event like this and laugh at its absurdity. Unfortunately, absurdities like this can be absurdly expensive. Companies can either prepare for that, or disconnect their aquarium thermometers and buy sweaters for their fish.