Data Security Incident Response Report Shows Human Error is More Often to Blame
Human error was the number one cause of data security incidents according to a new report released today by the Privacy and Data Protection Team at BakerHostetler. In the incidents that the firm worked on last year, employee negligence was responsible 36% of the time. That was followed by theft by outsiders (22%), theft by insiders (16%), malware (16%) and phishing attacks (14%).
The BakerHostetler Data Security Incident Response Report provides insights generated from the review of more than 200 incidents that the law firm advised on in 2014. It looks at the nature of the threats faced by companies, as well as detection and response trends, and the consequences that follow. BakerHostetler's award winning Privacy and Data Protection team is one of the nation's largest and most comprehensive practices, providing incident preparedness and response services, privacy compliance counseling, and litigation and regulatory defense.
The full report can be found here: BakerHostetler Data Security Incident Response Report
The report also makes clear that no industry is immune from threats to its sensitive information. Industries represented in the report include education, financial services, retail, insurance, technology, entertainment, hospitality and, in particular, healthcare sectors. While healthcare topped the chart of industries affected, that is due in part to strict data breach notification laws that all healthcare providers must follow.
"It is important for companies to understand that data security is not just an issue for retailers, financial firms and hospitals. Incidents do not only occur at businesses that have payment card data or protected health information," said Theodore Kobus, co-chair of BakerHostetler's Privacy and Data Protection team. "Privacy and data security issues are firmly entrenched as a significant public and regulatory concern and a risk that executive leadership and boards of directors must confront."
The BakerHostetler Report shows that incidents were self-detected 64% of the time. Of the incidents reported by a third party, 27 % were due to theft. According to BakerHostetler, a quick response to an incident is important for several reasons, including creating the opportunity to stop an attack in its early stages before sensitive data is accessed, preserving available forensic data to enable a precise determination of what occurred, and generating affirmative evidence to help the company respond in a way that protects affected individuals and minimizes potential financial and reputational consequences.
For incidents that involved identifiable dates of detection and notification, the average amount of time that elapsed from incident occurrence to detection was 134 days. Many of the incidents the firm worked on involved protected health information, and on average notification was made within 50 days of the time the company became aware of the incident (notification is required within 60 days of discovery when PHI is involved).
Among the other notable statistics in the report are:
Not all security lapses involved the theft or hacking of electronic records. Of the incidents included in the report, 21 percent involved paper records
58% of the incidents required notification of affected individuals – based on state breach notification laws
Credit monitoring was offered in 67% of the incidents
In 75 incidents where notification letters were mailed, only five of the companies faced litigation by potentially affected individuals
Attorneys General were notified in 59 cases, resulting in inquiries 31% of the time. Multi-state inquiries were initiated less than 5% of the time
For incidents involving stolen payment card data, PCI Data Security Standards fines for non-compliance ranged from $5,000 to $50,000 per matter. Initial demands for operating expense and fraud assessments ranged from $3 to $25 per card involved
The BakerHostetler Data Security Incident Response Report provides insights generated from the review of more than 200 incidents that the law firm advised on in 2014. It looks at the nature of the threats faced by companies, as well as detection and response trends, and the consequences that follow. BakerHostetler's award winning Privacy and Data Protection team is one of the nation's largest and most comprehensive practices, providing incident preparedness and response services, privacy compliance counseling, and litigation and regulatory defense.
The full report can be found here: BakerHostetler Data Security Incident Response Report
The report also makes clear that no industry is immune from threats to its sensitive information. Industries represented in the report include education, financial services, retail, insurance, technology, entertainment, hospitality and, in particular, healthcare sectors. While healthcare topped the chart of industries affected, that is due in part to strict data breach notification laws that all healthcare providers must follow.
"It is important for companies to understand that data security is not just an issue for retailers, financial firms and hospitals. Incidents do not only occur at businesses that have payment card data or protected health information," said Theodore Kobus, co-chair of BakerHostetler's Privacy and Data Protection team. "Privacy and data security issues are firmly entrenched as a significant public and regulatory concern and a risk that executive leadership and boards of directors must confront."
The BakerHostetler Report shows that incidents were self-detected 64% of the time. Of the incidents reported by a third party, 27 % were due to theft. According to BakerHostetler, a quick response to an incident is important for several reasons, including creating the opportunity to stop an attack in its early stages before sensitive data is accessed, preserving available forensic data to enable a precise determination of what occurred, and generating affirmative evidence to help the company respond in a way that protects affected individuals and minimizes potential financial and reputational consequences.
For incidents that involved identifiable dates of detection and notification, the average amount of time that elapsed from incident occurrence to detection was 134 days. Many of the incidents the firm worked on involved protected health information, and on average notification was made within 50 days of the time the company became aware of the incident (notification is required within 60 days of discovery when PHI is involved).
Among the other notable statistics in the report are:
Not all security lapses involved the theft or hacking of electronic records. Of the incidents included in the report, 21 percent involved paper records
58% of the incidents required notification of affected individuals – based on state breach notification laws
Credit monitoring was offered in 67% of the incidents
In 75 incidents where notification letters were mailed, only five of the companies faced litigation by potentially affected individuals
Attorneys General were notified in 59 cases, resulting in inquiries 31% of the time. Multi-state inquiries were initiated less than 5% of the time
For incidents involving stolen payment card data, PCI Data Security Standards fines for non-compliance ranged from $5,000 to $50,000 per matter. Initial demands for operating expense and fraud assessments ranged from $3 to $25 per card involved