As we recently discussed, data breach legislation continues to be a moving target, with legislative changes pending in 32 States, not to mention Federal legislation and Global laws such as the EU GDPR, which have the potential to impact US organizations. Outside of this wave of legal requirements, there are industry-specific laws (HIPAA) and regulators who set standards and impose fines following a data breach, and these regulators are in flux as well. Within just the last year, we’ve seen the SEC and FTC both stepping up their game, and the same can be said for the Federal Communications Commission (FCC).
Statistics show that almost half of all organizations suffered at least one serious security incident / data breach in the past 12 months, a figure which grows year-to-year. Some estimates place the figure higher, closer to three-quarters of all organizations. In healthcare, the percentage of organizations who have suffered a significant data breach or security incident ranges from 68% of organizations in the past year to 91% in the past two years.
The average per-record cost of a data breach is $964.31, according to the fifth annual Cyber Claims Study by NetDiligence, which uses actual cyber liability insurance claims to understand the real costs of incidents, from an insurer’s perspective. The average claim for a large company was $4.8 million, though overall the average claim was $673,676 when weighted against the full spectrum of mostly-smaller organizations sampled. The insight shows, however, that high per-record costs are possible regardless of breach size.
The idea that ‘people’ are the root cause of data breaches is starting to hit home with executives. According to the Verizon DBIR, 90% of all security incidents back to ‘people,’ whether mistakes, phishing, bad behaviour, or lost stuff. ‘People’ can leave organizations exposed to cyberattacks, by using bad passwords hygiene, losing a device, succumbing to a phishing scam; the end result that gets publicized is a cyberattack, but addressing data security requires looking to the root cause: ‘people.’
In December of 2009, two laptops containing sensitive information were stolen from the health insurance provider AvMed’s corporate headquarters, leading to a breach of 1.2 million customer records. Though this breach happened some years ago, AvMed suffered significant financial, reputational, and organizational hardship for years afterwards. What’s more, the subsequent class-action suit has set a new legal precedent for monetary reimbursements for breach victims.
The SANS Institute released a report earlier this year on Insider Threats and the Need for Fast and Directed Response. The report talks about the importance of recognizing insider threats, whether accidental or intentional, why they occur and their implications, which often are more dire than external attacks alone.
What will your next data breach do to your business? This is a question I ask readers of Information Age, where I contributed an article on the importance of understanding the impact of a data breach. An understanding of the risks and consequences of a data breach is key to planning appropriate security measures.
Government breaches don’t make up a large proportion of data breaches, docking in at 11% of all breaches in 2014 and 7.6% of breaches thus far in 2015, and yet government agencies have been subject to an increased level of criticism over its struggles with data protection. Just why is this? I set forth to discover why the government is the most highly criticized for data breaches and how that affects public trust, and what governments can do to improve.