Placing a Value on an R&D Loss

A Q&A with Rob Chiang of Navigant Consulting
When a company loses valuable R&D data during a breach incident, that loss or value must be calculated for financial and legal purposes. I asked Rob Chiang, leader of the Intellectual Property valuation practice at Navigant Consulting, about the valuation process, and how he determines the value of lost data.

What are the valuation methods you use?
There are generally three main valuation approaches:

  • Income Approach. This approach is based on the future cash flows that the business or asset is expected to generate going forward.
  • Market Approach. This approach is based on prices paid in transactions involving similar businesses or assets.
  • Cost Approach. This approach is based on the principle of replacement/substitution, or what it would cost to replace the asset or business.

For technology or R&D, the Income Approach is usually the most appropriate since it’s based specifically on future cash flows associated with the asset. The Market Approach should also be considered although it is generally difficult to find comparables in the market, especially when you’re talking about something that is unique or innovative like R&D. In addition, information regarding specific market transactions is usually confidential so it can be difficult to get the details of the transaction. The Cost Approach is sometimes considered but cost does not always translate into value. Just because you’ve put a lot of money into an R&D project doesn’t mean you will earn an adequate return in cash flow.

Can you explain how you might value an R&D loss, as in the case of hackers from a foreign nation-state?
When hackers come in and steal IP, clients come to me to learn what that IP is worth on its own or what profits they might have lost due to the theft. Accordingly, we can assist in estimating the IP’s overall value or estimating a component of that value (lost profits). In most cases, we will work with the client to develop the valuation model based on future cash projections, sales, profits, market industry research, and the background of the technology or asset in question. Of course, the clients usually know their products better than anyone else, so I generally need their input. In our projects, we generally deliver a full valuation report with detailed exhibits from the valuation model , but we can provide whatever the client needs and wants. Usually the valuation model is income-based and is flexible enough to run various sensitivities and scenarios in order to identify which variables have the greatest impact on value.

What issues or disputes might arise in the valuation process?
As I mentioned previously, the Income Approach is based on financial projections – which are based on assumptions for future sales, costs and profits associated with the asset or business. Therefore, the biggest issue or dispute generally pertains to the assumptions that are incorporated into the valuation model. These assumptions must be reasonable and supportable based on available market, industry, and historical information. Supporting these assumptions can be even more challenging with R&D projects and new technologies which don’t have the history of sales and profits for support.

In summary…
Theft of intellectual property, especially trade secrets, is arguably one of the leading cyber risk threats facing businesses and research organizations. Our hope is to someday convince our insurance carrier partners to cover this exposure – especially the first-party loss (diminished valuation or revenue) due to theft. Ceding this risk exposure via expanded cyber risk coverage is challenging for most insurers right now, primarily because of a lack of actuarial data on losses, and because of concerns about proactive valuation methods such as those outlined by Mr. Chiang. Another important topic here, of course, is developing an upfront safeguarding and protection strategy for the IP, which is crucial. For this topic, we urge you to read the July 2013 related Junto blog interview with Marshall Heilman of Mandiant.

Protecting Children’s Data Online

A Q&A with Marshall Harrison of Imperium
With the passage of the Children’s Online Privacy Act (COPPA) businesses are scrambling to find effective ways of staying compliant with the regulation. I talked to Marshall Harrison, founder and CEO of Imperium, about the law’s implications and his new product ChildGuardOnline, an FTC-approved parental consent verification solution.

What type of child data is covered under COPPA?
COPPA applies to individually identifiable information about children under the age of 13 that is collected online, such as on a website or mobile application. That information can include the name, home address, phone number or anything else that would allow someone to identify the child, such as hobbies and interests. For instance, if a mobile app operator can tell which website a child has visited online, that is covered by COPPA. If they are collecting an IP address of the child either proactively or even passively, then that is also covered by COPPA.

Please explain the section of the COPPA regulation that requires verifiable parental consent.
Before collecting or using or disclosing any personal information from a child, the operator (either the site owner or developer) has to obtain verifiable parental consent from the child’s parent. In certain circumstances the child’s info could be collected prior to consent—for instance, if they have to collect data such as the child’s name to contact the parent and say “Your child Joe has asked for your consent.” There are some common sense exemptions or exceptions to the rule, but generally the consent has to come first.

How can a company that collects or shares child data comply with the regulation?
Of course, the best thing they could do is consult with an attorney to find out if they are already complying. To be more specific, the operator has to make what is considered a reasonable effort to ensure that before any information is collected from the child the parent gets notice and gives verifiable consent. The operator has to tell the parent who they are, what they do, the nature of the data collected and what they plan to do with it. They also need to tell the parent if the information will be shared with a third party and/or made publicly available on social media. There are a number of ways to get consent—written consent, which can be laborious, an online monetary transaction that might include charging a credit card to prove that the parent is the person they say they are, or a phone or Skype interview with trained personnel. You can also confirm the identity through public record databases or if the information is only internal you can use a procedure such as Email Plus. Finally, you can use a fully compliant service such as ChildGuardOnline. ChildGuardOnline uses the last four numbers of the parent’s SSN or knowledge based authentication (KBA) questions. It also checks sex offender lists and assures the age appropriateness of the parent for the child being given permission. In addition, it allows parents to withdraw their consent at a later date, in addition to other features.

What are the possible penalties for non-compliance?
COPPA is enforced by the federal government but it also provides enforcement rights for states. Some states are very active in consumer protections than others. An operator who violates COPPA can be fined up to $16,000 per violation, which is per child from whom they get the data not pursuant to verifiable consent. The total fine varies due to factors such as the number of violations, the history of violations and the degree of egregiousness. Some large companies have been fined hundreds of thousands of dollars.

People comply with laws or take measures to comply for several reasons. In addition to the FTC there are parents’ groups and educational and religious groups that are monitoring apps and websites targeted to children, and they will go above and beyond to highlight companies that are good citizens, or not. The reality is that many companies—especially those that are nonprofits who share the data or based outside the U.S. or those that don’t save the data and think they are immune to COPPA—that still don’t understand the law and are not compliant.

In summary…
This is a major cyber liability risk issue for any organization that in any manner interfaces with children’s personal information. Protecting private data and transparency regarding usage is paramount. Attorneys General, FTC and plaintiff lawyers are paying close attention to the COPPA regulation. Moreover, the number of websites and, especially, mobile apps with child-directed content is vast, and it appears that very few of these entities are in fact fully complying with the regulation’s key component – getting verifiable parental consent. This requirement alone is daunting, but thanks to companies like Imperium and products such as ChildGuardOnline, solutions are starting to surface.

Breach Forensics: Preparing for an Investigation

A Q&A with Steve Visser, Managing Director at Navigant Consulting
Many types of data security incidents can require a forensic investigation to uncover the depth of the breach and how it occurred, and this process is more efficient when an organization has anticipated what’s involved. I talked to Steve Visser—national leader of Navigant Consulting’s information security incident investigation and response practice—about what risk managers can do to prepare for a successful forensic investigation.

What proactive steps can a risk manager and IT personnel take to make a future forensics investigation go more smoothly and effectively?
There are four things I recommend:

  • Prepare a data map for the company.This is a high-level summary or list of all the data systems that exist within the organization and includes platforms, data format, system architecture, where data is stored (whether it’s insourced or outsourced), and a list of the relevant subject matter experts so you know who to go to when an incident occurs. We recommend clients look at this map on a quarterly basis and revise it accordingly.
  • Assess log retention and accessibility.These are records of access or data traffic for an organization or specific system. There are many different types of logs, and an investigator will need specific ones in the case of a security incident. Your organization is encouraged to be aware of what logs exists, where they are, how long they are retained for, and how to go about extracting them as evidence for an investigation.
  • Determine in advance any outside service providers or partners needed.These might include legal, forensics and notification services. Review contracts and negotiate terms in advance if possible, so that when an incident happens, you don’t lose time processing or vetting an agreement. In an ideal world we’d be contacted immediately so we can hit the ground running and give the organization a better chance of meeting any regulatory or legal deadlines imposed, such as notification. We welcome the chance to speak with organizations in advance to let them get to know us before an incident occurs and we have a contract we can send for review before our services are needed.
  • Engage in response planning.Become familiar with the types of security incidents occurring these days and determine what you need to do internally as well as with service providers to effectively respond to such incidents. Many incidents fall into the categories of lost or stolen device; malware; or insider theft. There should be a plan for each of these key categories.

What are the typical steps involved in a data breach forensic investigation?
For all investigations, there’s information gathering and collection, forensic analysis and then data analysis in some situations to determine the impacted individuals and how to proceed with reporting and notification. Depending on the category of incident the specific steps will change to a certain degree.

In the case of malware, it’s a matter of finding the malware involved, often through a complex artifact analysis of the computer where it’s hiding. We’d then research the malware and determine its potential capabilities, and reverse-engineer and deposit it in a secure, self-contained “malware environment” so we can watch what it does next. Often, we also analyze logs to see if there are any indications of data ex-filtrations and if needed, perform data mining to figure out what PHI or PII might have been involved.

With lost and stolen devices, which could be anything from a laptop to a phone to a backup drive, we first need to know if that device has been recovered. That’s the minority of cases, but if it was recovered, there is a need to determine if the device was accessed or utilized during the unaccounted-for time period. To accomplish that, we perform a data egress analysis on the device to evaluate whether anything was accessed or potentially removed. If it’s not recovered, then steps need to be taken to determine what data was on the device, often through evaluation of a backup or proxy. Then we proceed to data mining and analysis to find out what PHI or PII is involved.

When it comes to employees engaging in unauthorized activity, we can determine who has access to what information and analyze logs to see which records were accessed by specific employees and perform a rules-based analysis to evaluate whether each access instance was appropriate. We might also conduct a peer group comparative analysis among employees with similar responsibilities to find out if access patterns are consistent. Less commonly, there are cases when we get the list of individuals whose data was compromised first and we use that to trace back to the employees who viewed and/or extracted the information through log data analysis.

There’s no one-size-fits-all approach but in all cases the work has to be done as quickly as possible.

Once a breach has occurred, how might a client or their Breach Coach engage your firm? What obstacles most often impact the outcome of an investigation?
Navigant is on what’s called a panel with most cyber risk insurers so if an organization has cyber risk insurance, one of the first things they should do is notify the insurer and they will be connected with Navigant. We also know most of the data breach coach attorneys that handle incidents in the US, so they might also retain us on behalf of their client.

One of the biggest obstacles to an investigation is to wait too long to bring in appropriate service providers. The second obstacle would be not providing access to the right information, either by not connecting us with the right people internally or not having the right retention protocols to ensure sufficient data for the forensic analyses. It’s definitely an advantage to retain counsel first granting your organization attorney-client privilege and then have the counsel retain us. An attorney will be able to help determine whether it’s necessary to report the incident as a breach—in some situations we have been able to perform a forensic analysis and conclude low probability of risk of harm. We come to this from a technical perspective where the attorneys come from a regulatory and legal perspective, and together we can help determine the implications of an incident.

Mr. Visser’s contact information is as follows:

Steve Visser
Managing Director | Disputes & Investigations
Navigant Consulting, Inc.
1331 17th St. Suite 808
Denver, CO 80202
Office: (303) 383-7305 | Mobile: (303) 888-5822

In summary…
Mr. Visser did a nice job of outlining some of the key issues pertaining to a data breach incident that may also involve cyber liability insurance coverage. Network security event logs are especially critical to any claims investigation so the insurer can understand “who, what, when, where and how” for proper claims adjustment. For example, the insurance carrier might want to confirm that the breach event occurred and/or was discovered during the insurance policy term. It can get complicated if the insured business has not retained this evidence. Or, maybe the forensic investigator discovers that a third- party vendor caused the loss. In that event, the insurer has a possible subrogation target to recoup their payout (see Junto on Cyber Liability and Subrogation with Kenneth Levin, Esq, partner at Nelson, Levine, de Luca & Hamilton, LLC.)

No more posts.