We are pleased to announce the release of the first BakerHostetler Data Security Incident Response Report, which provides insights generated from the review of more than 200 incidents that our law firm advised on in 2014. It looks at the nature of the threats faced by companies, as well as detection and response trends, and the consequences that follow. The report shows that human error was the number one cause of data security incidents we worked on last year, with employee negligence responsible for incidents 36% of the time. Other leading causes were theft by outsiders (22%), theft by insiders (16%), malware (16%) and phishing attacks (14%). The full report can be found here.
The report also makes clear that no industry is immune from threats to its sensitive information. Industries represented in the report include education, financial services, retail, insurance, technology, entertainment, hospitality and, in particular, healthcare sectors. While healthcare topped the chart of industries affected, that is due in part to strict data breach notification laws that all healthcare providers must follow.
It is important for companies to understand that data security is not just an issue for retailers, financial firms and hospitals. Incidents do not only occur at businesses that have payment card data or protected health information. Privacy and data security issues are firmly entrenched as a significant public and regulatory concern and a risk that executive leadership and boards of directors must confront.
Rapid Response is Critical
Our report shows that incidents were self-detected 64% of the time. Of the incidents reported by a third party, 27 % were due to theft. A quick response to an incident is important for several reasons, including creating the opportunity to stop an attack in its early stages before sensitive data is accessed, preserving available forensic data to enable a precise determination of what occurred, and generating affirmative evidence to help the company respond in a way that protects affected individuals and minimizes potential financial and reputational consequences.
Detection Times Must be Shortened
For incidents that involved identifiable dates of detection and notification, the average amount of time that elapsed from incident occurrence to detection was 134 days. Many of the incidents we worked on in 2014 involved protected health information, and on average notification was made within 50 days of the time the company became aware of the incident (notification is required within 60 days of discovery when PHI is involved).
Among the other notable statistics in the report:
- Not all security lapses involved the theft or hacking of electronic records. Of the incidents included in the report, 21 percent involved paper records
- 58% of the incidents required notification of affected individuals – based on state breach notification laws
- Credit monitoring was offered in 67% of the incidents
- In 75 incidents where notification letters were mailed, only five of the companies faced litigation by potentially affected individuals
- Attorneys General were notified in 59 cases, resulting in inquiries 31% of the time. Multi-state inquiries were initiated less than 5% of the time
- For incidents involving stolen payment card data, PCI Data Security Standards fines for non-compliance ranged from $5,000 to $50,000 per matter. Initial demands for operating expense and fraud assessments ranged from $3 to $25 per card involved
While sophisticated software and monitoring/detection systems have become more widely adopted, our data suggests that many security breaches still result from low-tech missteps. Chief information security officers should combine general security awareness training with state-of-the-art data security architecture, to minimize vulnerabilities.
Our analysis shows that best-in-class cyber risk management starts with awareness that breaches cannot be prevented entirely, so emphasis is increasingly on defense-in-depth, segmentation, rapid detection and containment, coupled with ongoing effort to monitor threat intelligence and adapt to changing risks.