Summary: A report recently released by BakerHostetler shows that employee carelessness was a leading cause of its clients security breaches in 2014.
BakerHostetler’s Privacy and Data Protection team has released a report stating that the primary cause of its clients’ security breaches in 2014 was human error. According to CSO Online, employee negligence was a primary cause of breaches in 36 percent of its clients’ cases. Outside theft was responsible for 22 percent, insider theft for 16 percent, malware for 16 percent, and phishing for 14 percent of the breaches. The data is based on over 200 incidents, and, although the sample size of the group is fairly small, the numbers reflect what bigger reports have also found. The chair of the U.S. Securities and Exchange Commission, Mary Jo White, has said that cyber-attacks against the United States are the “biggest risk we face,” according to Bloomberg.
No industry is immune to such a breach, but the healthcare industry suffered the most incidents in 2014, primarily due to strict notification requirements.
BakerHostetler just added a 30-attorney team to its firm.
The healthcare industry is followed by retail and hospitality, financial services, professional services, and education in the amount of breaches suffered. Although the healthcare industry had the largest number of incidents, the types of incidents that hit the professional services industry were the most severe in nature.
The report read, “While PHI incidents are disclosed more frequently, driven in part by HIPAA presumption that a breach occurred, the severity when measured by number of affected individuals is often less (many incidents affect less than 10 people). It is also not surprising that professional services and retail/hospitality services providers top the list when it comes to severity. And because incidents affecting these sectors often require forensic investigation and draw more media coverage, the cost and potential financial consequences are dramatically higher on a per-incident basis.”
Interestingly, most incidents are not self-detected, but BakerHostetler’s clients discovered the breaches 64 percent of the time.
Most of the clients dealt with electronic breaches, but 21 percent were paper-related, which is not surprising, considering most medical offices and law firms use paper records.
In 2013, the firm merged with Woodcock Washburn.
Most of the clients offered credit monitoring after the breaches occurred. The report noted, “Whether paper or electronic, the data at risk that led to the decision to notify in 58 percent of our incidents was data subject to state breach notification laws, such as Social Security or driver’s license numbers and financial account information. Health information was affected in 34 percent of the incidents and eight percent involved payment card data.”
As for regulatory action, less than five percent called for multi-state inquiries, and just 59 cases required notifying the state attorney general. According to the Wall Street Journal, new laws are being proposed that would not require companies to disclose minor breaches.
Retail clients suffered fines and assessments from four credit card brands that ranged from $5,000 to $50,000. The initial demand for fraud assessment and operating expense ranged from $3 to $25 per card.
Legislators met to discuss online security after Healthcare.gov was hacked.
Gerald Ferguson, the co-leader of BakerHostetler’s Privacy and Data Protection Team, said, “While sophisticated software and monitoring/detection systems have become more widely adopted, our data suggests that many security breaches still result from low-tech missteps. Chief information security officers should combine general security awareness training with state-of-the-art data security architecture, to minimize vulnerabilities.”
Clearly, humans are still the highest risk for such breaches, and the issue unfortunately does not have a simple fix.
Source: CSO Online
Photo credit: lasclev.org