The Gordon–Loeb model is an economic model that analyzes the optimal level of investment in information security .
75-413: The benefits of investing in cybersecurity stem from reducing the costs associated with cyber breaches . The Gordon-Loeb model provides a framework for determining how much to invest in cybersecurity, using a cost-benefit approach. The model includes the following key components: Gordon and Loeb demonstrated that the optimal level of security investment, z* , does not exceed 37% of the expected loss from
150-434: A need to know . Mishandling of the material can incur criminal penalties. A formal security clearance is required to view or handle classified material. The clearance process requires a satisfactory background investigation. Documents and other information must be properly marked "by the author" with one of several (hierarchical) levels of sensitivity—e.g. restricted, confidential, secret, and top secret. The choice of level
225-559: A threat model that is broadly similar to that faced by a large private company. The Official Sensitive classification replaced the Restricted classification in April 2014 in the UK; Official indicates the previously used Unclassified marking. Unclassified is technically not a classification level. Though this is a feature of some classification schemes, used for government documents that do not merit
300-434: A "state secret" and accords different levels of protection based on the expected damage the information might cause in the wrong hands. However, classified information is frequently "leaked" to reporters by officials for political purposes. Several U.S. presidents have leaked sensitive information to influence public opinion. Although the classification systems vary from country to country, most have levels corresponding to
375-553: A breach, cyber insurance , and monitoring the dark web for stolen credentials of employees. In 2024, the United States National Institute of Standards and Technology (NIST) issued a special publication, "Data Confidentiality: Identifying and Protecting Assets Against Data Breaches". The NIST Cybersecurity Framework also contains information about data protection. Other organizations have released different standards for data protection. The architecture of
450-566: A breach. Specifically, z* ( v ) ≤ (1/ e ) vL . The model was first introduced by Lawrence A. Gordon and Martin P. Loeb in a 2002 paper published in ACM Transactions on Information and System Security , titled "The Economics of Information Security Investment". It was reprinted in the 2004 book Economics of Information Security . Both authors are professors at the University of Maryland 's Robert H. Smith School of Business . The model
525-401: A change from the previous rule, under which documents could have their classification time length renewed indefinitely, effectively shuttering state secrets from the public. The 2011 law applies retroactively to existing documents. The government of Canada employs two main types of sensitive information designation: Classified and Protected. The access and protection of both types of information
600-504: A classification in public sectors, such as commercial industries. Such a level is also known as " Private Information". Official (equivalent to US DOD classification Controlled Unclassified Information or CUI) material forms the generality of government business, public service delivery and commercial activity. This includes a diverse range of information, of varying sensitivities, and with differing consequences resulting from compromise or loss. Official information must be secured against
675-498: A company's systems plays a key role in deterring attackers. Daswani and Elbayadi recommend having only one means of authentication , avoiding redundant systems, and making the most secure setting default. Defense in depth and distributed privilege (requiring multiple authentications to execute an operation) also can make a system more difficult to hack. Giving employees and software the least amount of access necessary to fulfill their functions ( principle of least privilege ) limits
750-411: A customer does not end up footing the bill for credit card fraud or identity theft, they have to spend time resolving the situation. Intangible harms include doxxing (publicly revealing someone's personal information), for example medication usage or personal photos. There is little empirical evidence of economic harm from breaches except the direct cost, although there is some evidence suggesting
825-439: A data breach can be used for extortion . Consumers may suffer various forms of tangible or intangible harm from the theft of their personal data, or not notice any harm. A significant portion of those affected by a data breach become victims of identity theft . A person's identifying information often circulates on the dark web for years, causing an increased risk of identity theft regardless of remediation efforts. Even if
SECTION 10
#1732844946423900-618: A data breach, although only around 5 percent of those eligible take advantage of the service. Issuing new credit cards to consumers, although expensive, is an effective strategy to reduce the risk of credit card fraud . Companies try to restore trust in their business operations and take steps to prevent a breach from reoccurring. After a data breach, criminals make money by selling data, such as usernames, passwords, social media or customer loyalty account information, debit and credit card numbers, and personal health information (see medical data breach ). Criminals often sell this data on
975-435: A desire to protect trade secrets , or because of laws and regulations governing various matters such as personal privacy , sealed legal proceedings and the timing of financial information releases. With the passage of time much classified information can become less sensitive, and may be declassified and made public. Since the late twentieth century there has been freedom of information legislation in some countries, whereby
1050-402: A government agency or group shares information between an agency or group of other country's government they will generally employ a special classification scheme that both parties have previously agreed to honour. For example, the marking Atomal, is applied to U.S. Restricted Data or Formerly Restricted Data and United Kingdom Atomic information that has been released to NATO. Atomal information
1125-409: A law in 2018) have their own general data breach notification laws. Measures to protect data from a breach are typically absent from the law or vague. Filling this gap is standards required by cyber insurance , which is held by most large companies and functions as de facto regulation . Of the laws that do exist, there are two main approaches—one that prescribes specific standards to follow, and
1200-494: A particular classification or which have been declassified. This is because the information is low-impact, and therefore does not require any special protection, such as vetting of personnel. A plethora of pseudo-classifications exist under this category. Clearance is a general classification, that comprises a variety of rules controlling the level of permission required to view some classified information, and how it must be stored, transmitted, and destroyed. Additionally, access
1275-540: A person, organization, or agency". Secret material would cause "serious damage" to national security if it were publicly available. In the United States, operational "Secret" information can be marked with an additional "LimDis", to limit distribution. Confidential material would cause "damage" or be prejudicial to national security if publicly available. Restricted material would cause "undesirable effects" if publicly available. Some countries do not have such
1350-492: A product that works entirely as intended, virtually all software and hardware contains bugs. If a bug creates a security risk, it is called a vulnerability . Patches are often released to fix identified vulnerabilities, but those that remain unknown ( zero days ) as well as those that have not been patched are still liable for exploitation. Both software written by the target of the breach and third party software used by them are vulnerable to attack. The software vendor
1425-492: A risk of data breach if that company has lower security standards; in particular, small companies often lack the resources to take as many security precautions. As a result, outsourcing agreements often include security guarantees and provisions for what happens in the event of a data breach. Human causes of breach are often based on trust of another actor that turns out to be malicious. Social engineering attacks rely on tricking an insider into doing something that compromises
1500-400: A routine level of protection and is treated as OFFICIAL. Information that does not form part of official duty is treated as UNOFFICIAL. OFFICIAL and UNOFFICIAL are not security classifications and are not mandatory markings. Caveats are a warning that the information has special protections in addition to those indicated by the security classification of PROTECTED or higher (or in the case of
1575-418: A temporary, short-term decline in stock price . Other impacts on the company can range from lost business, reduced employee productivity due to systems being offline or personnel redirected to working on the breach, resignation or firing of senior executives, reputational damage , and increasing the future cost of auditing or security. Consumer losses from a breach are usually a negative externality for
SECTION 20
#17328449464231650-483: A variety of motives, from financial gain to political activism , political repression , and espionage . There are several technical root causes of data breaches, including accidental or intentional disclosure of information by insiders, loss or theft of unencrypted devices, hacking into a system by exploiting software vulnerabilities , and social engineering attacks such as phishing where insiders are tricked into disclosing information. Although prevention efforts by
1725-413: Is a contested matter. It is disputed what standard should be applied, whether it is strict liability, negligence , or something else. Classified information Classified information is material that a government body deems to be sensitive information that must be protected. Access is restricted by law or regulation to particular groups of people with the necessary security clearance with
1800-426: Is also possible for malicious web applications to download malware just from visiting the website ( drive-by download ). Keyloggers , a type of malware that records a user's keystrokes, are often used in data breaches. The majority of data breaches could have been averted by storing all sensitive information in an encrypted format. That way, physical possession of the storage device or access to encrypted information
1875-533: Is an acronym for "Control of Secret Material in an International Command". Most countries employ some sort of classification system for certain government information. For example, in Canada , information that the U.S. would classify SBU (Sensitive but Unclassified) is called "protected" and further subcategorised into levels A, B, and C. On 19 July 2011, the National Security (NS) classification marking scheme and
1950-424: Is based on an impact assessment; governments have their own criteria, including how to determine the classification of an information asset and rules on how to protect information classified at each level. This process often includes security clearances for personnel handling the information. Some corporations and non-government organizations also assign levels of protection to their private information, either from
2025-651: Is desired that no document be released which refers to experiments with humans and might have adverse effect on public opinion or result in legal suits. Documents covering such work field should be classified "secret". April 17, 1947 Atomic Energy Commission memo from Colonel O.G. Haywood, Jr. to Dr. Fidler at the Oak Ridge Laboratory in Tennessee. As of 2010 , Executive Order 13526 bans classification of documents simply to "conceal violations of law, inefficiency, or administrative error" or "prevent embarrassment to
2100-541: Is governed by the Security of Information Act , effective 24 December 2001, replacing the Official Secrets Act 1981 . To access the information, a person must have the appropriate security clearance and the need to know. In addition, the caveat "Canadian Eyes Only" is used to restrict access to Classified or Protected information only to Canadian citizens with the appropriate security clearance and need to know. SOI
2175-476: Is marked COSMIC Top Secret Atomal (CTSA), NATO Secret Atomal (NSAT), or NATO Confidential Atomal (NCA). BALK and BOHEMIA are also used. For example, sensitive information shared amongst NATO allies has four levels of security classification; from most to least classified: A special case exists with regard to NATO Unclassified (NU) information. Documents with this marking are NATO property ( copyright ) and must not be made public without NATO permission. COSMIC
2250-536: Is not a classification of data per se . It is defined under the Security of Information Act , and unauthorised release of such information constitutes a higher breach of trust, with a penalty of up to life imprisonment if the information is shared with a foreign entity or terrorist group. SOIs include: Classified information can be designated Top Secret , Secret or Confidential . These classifications are only used on matters of national interest. Protected information
2325-452: Is often the responsibility of a dedicated computer security incident response team , often including technical experts, public relations , and legal counsel. Many companies do not have sufficient expertise in-house, and subcontract some of these roles; often, these outside resources are provided by the cyber insurance policy. After a data breach becomes known to the company, the next steps typically include confirming it occurred, notifying
Gordon–Loeb model - Misplaced Pages Continue
2400-417: Is only cents to a few dollars per victim. Legal scholars Daniel J. Solove and Woodrow Hartzog argue that "Litigation has increased the costs of data breaches but has accomplished little else." Plaintiffs often struggle to prove that they suffered harm from a data breach. The contribution of a company's actions to a data breach varies, and likewise the liability for the damage resulting for data breaches
2475-406: Is rarely legally liable for the cost of breaches, thus creating an incentive to make cheaper but less secure software. Vulnerabilities vary in their ability to be exploited by malicious actors. The most valuable allow the attacker to inject and run their own code (called malware ), without the user being aware of it. Some malware is downloaded by users via clicking on a malicious link, but it
2550-616: Is required by law, and only personal information is covered by data breach notification laws . The first reported data breach occurred on 5 April 2002 when 250,000 social security numbers collected by the State of California were stolen from a data center. Before the widespread adoption of data breach notification laws around 2005, the prevalence of data breaches is difficult to determine. Even afterwards, statistics per year cannot be relied on because data breaches may be reported years after they occurred, or not reported at all. Nevertheless,
2625-421: Is restricted on a " need to know " basis. Simply possessing a clearance does not automatically authorize the individual to view all material classified at that level or below that level. The individual must present a legitimate "need to know" in addition to the proper level of clearance. In addition to the general risk-based classification levels, additional compartmented constraints on access exist, such as ( in
2700-479: Is stored on personal devices of employees. Via carelessness or disregard of company security policies, these devices can be lost or stolen. Technical solutions can prevent many causes of human error, such as encrypting all sensitive data, preventing employees from using insecure passwords, installing antivirus software to prevent malware, and implementing a robust patching system to ensure that all devices are kept up to date. Although attention to security can reduce
2775-433: Is that the laws are poorly enforced, with penalties often much less than the cost of a breach, and many companies do not follow them. Many class-action lawsuits , derivative suits , and other litigation have been brought after data breaches. They are often settled regardless of the merits of the case due to the high cost of litigation. Even if a settlement is paid, few affected consumers receive any money as it usually
2850-419: Is useless unless the attacker has the encryption key . Hashing is also a good solution for keeping passwords safe from brute-force attacks , but only if the algorithm is sufficiently secure. Many data breaches occur on the hardware operated by a partner of the organization targeted—including the 2013 Target data breach and 2014 JPMorgan Chase data breach . Outsourcing work to a third party leads to
2925-418: Is widely regarded as one of the leading analytical tools in cybersecurity economics. It has been extensively referenced in academic and industry literature. It has also been tested in various contexts by researchers such as Marc Lelarge and Yuliy Baryshnikov. The model has also been covered by mainstream media, including The Wall Street Journal and The Financial Times . Subsequent research has critiqued
3000-471: The Access to Information Act : ultrassecreto (top secret), secreto (secret) and reservado (restricted). A top secret ( ultrassecreto ) government-issued document may be classified for a period of 25 years, which may be extended up to another 25 years. Thus, no document remains classified for more than 50 years. This is mandated by the 2011 Information Access Law ( Lei de Acesso à Informação ),
3075-516: The European Union 's General Data Protection Regulation (GDPR) took effect. The GDPR requires notification within 72 hours, with very high fines possible for large companies not in compliance. This regulation also stimulated the tightening of data privacy laws elsewhere. As of 2022 , the only United States federal law requiring notification for data breaches is limited to medical data regulated under HIPAA , but all 50 states (since Alabama passed
Gordon–Loeb model - Misplaced Pages Continue
3150-451: The dark web —parts of the internet where it is difficult to trace users and illicit activity is widespread—using platforms like .onion or I2P . Originating in the 2000s, the dark web, followed by untraceable cryptocurrencies such as Bitcoin in the 2010s, made it possible for criminals to sell data obtained in breaches with minimal risk of getting caught, facilitating an increase in hacking. One popular darknet marketplace, Silk Road ,
3225-420: The reasonableness approach. The former is rarely used due to a lack of flexibility and reluctance of legislators to arbitrate technical issues; with the latter approach, the law is vague but specific standards can emerge from case law . Companies often prefer the standards approach for providing greater legal certainty , but they might check all the boxes without providing a secure product. An additional flaw
3300-496: The NATIONAL CABINET caveat, OFFICIAL: Sensitive or higher). Australia has four caveats: Codewords are primarily used within the national security community. Each codeword identifies a special need-to-know compartment . Foreign government markings are applied to information created by Australian agencies from foreign source information. Foreign government marking caveats require protection at least equivalent to that required by
3375-736: The Non-National Security (NNS) classification marking scheme in Australia was unified into one structure. As of 2018, the policy detailing how Australian government entities handle classified information is defined in the Protective Security Policy Framework (PSPF). The PSPF is published by the Attorney-General's Department and covers security governance, information security , personal security, and physical security . A security classification can be applied to
3450-546: The U.S. ) Special Intelligence (SI), which protects intelligence sources and methods, No Foreign dissemination (NoForn), which restricts dissemination to U.S. nationals, and Originator Controlled dissemination (OrCon), which ensures that the originator can track possessors of the information. Information in these compartments is usually marked with specific keywords in addition to the classification level. Government information about nuclear weapons often has an additional marking to show it contains such information ( CNWDI ). When
3525-522: The United Kingdom and other members of the British Empire used Most Secret , but this was later changed to match the United States' category name of Top Secret in order to simplify Allied interoperability. The Washington Post reported in an investigation entitled "Top Secret America" that, as of 2010, "An estimated 854,000 people ... hold top-secret security clearances" in the United States. It
3600-625: The United States, breaches may be investigated by government agencies such as the Office for Civil Rights , the United States Department of Health and Human Services , and the Federal Trade Commission (FTC). Law enforcement agencies may investigate breaches although the hackers responsible are rarely caught. Notifications are typically sent out as required by law. Many companies offer free credit monitoring to people affected by
3675-421: The business. Some experts have argued that the evidence suggests there is not enough direct costs or reputational damage from data breaches to sufficiently incentivize their prevention. Estimating the cost of data breaches is difficult, both because not all breaches are reported and also because calculating the impact of breaches in financial terms is not straightforward. There are multiple ways of calculating
3750-557: The company holding the data can reduce the risk of data breach, it cannot bring it to zero. The first reported breach was in 2002 and the number occurring each year has grown since then. A large number of data breaches are never detected. If a breach is made known to the company holding the data, post-breach efforts commonly include containing the breach, investigating its scope and cause, and notifications to people whose records were compromised, as required by law in many jurisdictions. Law enforcement agencies may investigate breaches, although
3825-603: The company is using a continuous integration/continuous deployment model where new versions are constantly being rolled out. The principle of least persistence —avoiding the collection of data that is not necessary and destruction of data that is no longer necessary—can mitigate the harm from breaches. The challenge is that destroying data can be more complex with modern database systems. A large number of data breaches are never detected. Of those that are, most breaches are detected by third parties; others are detected by employees or automated systems. Responding to breaches
SECTION 50
#17328449464233900-429: The company's contractual obligations. Gathering data about the breach can facilitate later litigation or criminal prosecution, but only if the data is gathered according to legal standards and the chain of custody is maintained. Database forensics can narrow down the records involved, limiting the scope of the incident. Extensive investigation may be undertaken, which can be even more expensive than litigation . In
3975-426: The cost to businesses, especially when it comes to personnel time dedicated to dealing with the breach. Author Kevvie Fowler estimates that more than half the direct cost incurred by companies is in the form of litigation expenses and services provided to affected individuals, with the remaining cost split between notification and detection, including forensics and investigation. He argues that these costs are reduced if
4050-429: The cybercriminal. Two-factor authentication can prevent the malicious actor from using the credentials. Training employees to recognize social engineering is another common strategy. Another source of breaches is accidental disclosure of information, for example publishing information that should be kept private. With the increase in remote work and bring your own device policies, large amounts of corporate data
4125-563: The first reported data breach in April 2002, California passed a law requiring notification when an individual's personal information was breached. In the United States, notification laws proliferated after the February 2005 ChoicePoint data breach , widely publicized in part because of the large number of people affected (more than 140,000) and also because of outrage that the company initially informed only affected people in California. In 2018,
4200-402: The fix is working as expected. If malware is involved, the organization must investigate and close all infiltration and exfiltration vectors, as well as locate and remove all malware from its systems. If data was posted on the dark web , companies may attempt to have it taken down. Containing the breach can compromise investigation, and some tactics (such as shutting down servers) can violate
4275-415: The following British definitions (from the highest level to lowest). Top Secret is the highest level of classified information. Information is further compartmented so that specific access using a code word after top secret is a legal way to hide collective and important information. Such material would cause "exceptionally grave damage" to national security if made publicly available. Prior to 1942,
4350-599: The foreign government providing the source information. Special handling instructions are used to indicate particular precautions for information handling. They include: A releasability caveat restricts information based on citizenship . The three in use are: Additionally, the PSPF outlines Information Management Markers (IMM) as a way for entities to identify information that is subject to non-security related restrictions on access and use. These are: There are three levels of document classification under Brazilian Law No. 12.527,
4425-508: The hackers are paid large sums of money. The Pegasus spyware —a no-click malware developed by the Israeli company NSO Group that can be installed on most cellphones and spies on the users' activity—has drawn attention both for use against criminals such as drug kingpin El Chapo as well as political dissidents, facilitating the murder of Jamal Khashoggi . Despite developers' goal of delivering
4500-423: The hackers responsible are rarely caught. Many criminals sell data obtained in breaches on the dark web . Thus, people whose personal data was compromised are at elevated risk of identity theft for years afterwards and a significant number will become victims of this crime. Data breach notification laws in many jurisdictions, including all states of the United States and European Union member states , require
4575-407: The information itself or an asset that holds information e.g., a USB or laptop . The Australian Government uses four security classifications: OFFICIAL: Sensitive, PROTECTED, SECRET and TOP SECRET. The relevant security classification is based on the likely damage resulting from compromise of the information’s confidentiality.. All other information from business operations and services requires
SECTION 60
#17328449464234650-558: The law is violated. Notification laws increase transparency and provide a reputational incentive for companies to reduce breaches. The cost of notifying the breach can be high if many people were affected and is incurred regardless of the company's responsibility, so it can function like a strict liability fine. As of 2024 , Thomas on Data Breach listed 62 United Nations member states that are covered by data breach notification laws. Some other countries require breach notification in more general data protection laws . Shortly after
4725-457: The likelihood and damage of breaches. Several data breaches were enabled by reliance on security by obscurity ; the victims had put access credentials in publicly accessible files. Nevertheless, prioritizing ease of use is also important because otherwise users might circumvent the security systems. Rigorous software testing , including penetration testing , can reduce software vulnerabilities, and must be performed prior to each release even if
4800-463: The model's assumptions, suggesting that some security breach functions may require fixing no less than 1/2 the expected loss, challenging the universality of the 1/e factor. Alternative formulations even propose that some loss functions may justify investment at the full estimated loss. Data breach A data breach , also known as data leakage , is "the unauthorized exposure, disclosure, or loss of personal information ". Attackers have
4875-503: The national interest; to distinguish when classifying information is in the collective best interest of a just society, or merely the best interest of a society acting unjustly to protect its people, government, or administrative officials from legitimate recourses consistent with a fair and just social contract . The purpose of classification is to protect information. Higher classifications protect information that might endanger national security . Classification formalises what constitutes
4950-764: The notification of people whose data has been breached. Lawsuits against the company that was breached are common, although few victims receive money from them. There is little empirical evidence of economic harm to firms from breaches except the direct cost, although there is some evidence suggesting a temporary, short-term decline in stock price . A data breach is a violation of "organizational, regulatory, legislative or contractual" law or policy that causes "the unauthorized exposure, disclosure, or loss of personal information ". Legal and contractual definitions vary. Some researchers include other types of information, for example intellectual property or classified information . However, companies mostly disclose breaches because it
5025-450: The organization has invested in security prior to the breach or has previous experience with breaches. The more data records involved, the more expensive a breach typically will be. In 2016, researcher Sasha Romanosky estimated that while the mean breach cost around the targeted firm $ 5 million, this figure was inflated by a few highly expensive breaches, and the typical data breach was much less costly, around $ 200,000. Romanosky estimated
5100-489: The public is deemed to have the right to all information that is not considered to be damaging if released. Sometimes documents are released with information still considered confidential obscured ( redacted ), as in the adjacent example. The question exists among some political science and legal experts whether the definition of classified ought to be information that would cause injury to the cause of justice, human rights, etc., rather than information that would cause injury to
5175-475: The response team, and attempting to contain the damage. To stop exfiltration of data, common strategies include shutting down affected servers, taking them offline, patching the vulnerability, and rebuilding . Once the exact way that the data was compromised is identified, there is typically only one or two technical vulnerabilities that need to be addressed in order to contain the breach and prevent it from reoccurring. A penetration test can then verify that
5250-611: The risk of data breach, it cannot bring it to zero. Security is not the only priority of organizations, and an attempt to achieve perfect security would make the technology unusable. Many companies hire a chief information security officer (CISO) to oversee the company's information security strategy. To obtain information about potential threats, security professionals will network with each other and share information with other organizations facing similar threats. Defense measures can include an updated incident response strategy, contracts with digital forensics firms that could investigate
5325-545: The security is above average. More organized criminals have more resources and are more focused in their targeting of particular data . Both of them sell the information they obtain for financial gain. Another source of data breaches are politically motivated hackers , for example Anonymous , that target particular objectives. State-sponsored hackers target either citizens of their country or foreign entities, for such purposes as political repression and espionage . Often they use undisclosed zero-day vulnerabilities for which
5400-644: The statistics show a continued increase in the number and severity of data breaches that continues as of 2022 . In 2016, researcher Sasha Romanosky estimated that data breaches (excluding phishing ) outnumbered other security breaches by a factor of four. According to a 2020 estimate, 55 percent of data breaches were caused by organized crime , 10 percent by system administrators , 10 percent by end users such as customers or employees, and 10 percent by states or state-affiliated actors. Opportunistic criminals may cause data breaches—often using malware or social engineering attacks , but they will typically move on if
5475-402: The system's security, such as revealing a password or clicking a link to download malware. Data breaches may also be deliberately caused by insiders. One type of social engineering, phishing , obtains a user's credentials by sending them a malicious message impersonating a legitimate entity, such as a bank, and getting the user to enter their credentials onto a malicious website controlled by
5550-416: The total annual cost to corporations in the United States to be around $ 10 billion. The law regarding data breaches is often found in legislation to protect privacy more generally, and is dominated by provisions mandating notification when breaches occur. Laws differ greatly in how breaches are defined, what type of information is protected, the deadline for notification, and who has standing to sue if
5625-442: Was shut down in 2013 and its operators arrested, but several other marketplaces emerged in its place. Telegram is also a popular forum for illegal sales of data. This information may be used for a variety of purposes, such as spamming , obtaining products with a victim's loyalty or payment information, identity theft , prescription drug fraud , or insurance fraud . The threat of data breach or revealing information obtained in
#422577