Data records compromised over time:
|2008||60,000,000||Hackers figured out ways around security|
|2009||144,000,000||Drop due to added security|
|2010||4,000,000||Further added security|
|2011||174,000,000||Hackers figured out ways around security|
|2012||44,000,000||IT catching more hackers before breach but only matter of time before hackers will have figured out new ways to breach data so 2013 should see a rise in data records breached|
80% of 2011 data breaches investigated by the Secret Service were avoidable through simple or intermediate controls.
Companies with 250+ employees were focus of 31% of all cyber attacks in 2012 representing a 58% for 2012 from 18% in 2011.
|# Employees||# Breaches|
|1,001 - 10,000||71|
|10,001 - 100,000||122|
2012 Average Cost per Comprised Record = $188 (this figure is low due to increased cost of investigation, notification, PR expense, costs to manage data breach, legal fees and payments of any judgments.)
49 states have state specific laws regarding data breach. Over one-half of the 49 states, notification have to be sent not only to the affected individual but to other third parties such as: Credit Bureaus, State Attorney General Office, State Police and the State Department of Consumer Affairs.
Three Biggest Security Threats:
- Employee Theft or Inadvertent Mistake
- Physical loss or theft of a computer, portable device, backup tape, jump drives, PAPER, or other
- Loss or theft of passwords
Other threats include:
- Misdirected email or fax
- Unintentional transmission of a virus other malware to a third party computer system or network. Business causing the loss could be held responsible for the loss of business income the third party suffered as a result of being unable to use their systems for some period of time.
A data breach may take weeks to discover but data breach results in immediate costs being incurred by a business. For example, a business suffering a data breach must launch a simultaneous investigation into:
- What was breached (how many and whose records)
- How data was breached and fixing the hole that enabled the breach which means hiring forensic experts and a specialized attorney
- What obligations are required by the State and Federal Regulations
- How to notify the affected individuals
- What to offer the affected individuals (credit monitoring)
What can you do about it?
- Know what you have (Inventory server, software, computers, mobile devices)
- Scale down # of records
- Lock data down (password protection, firewalls, antivirus software, data encryption, outsource data security functions to 3rd party vendors that provide these services as part of their service)
- Shred unneeded documents
- Plan ahead for data breach - have a Rapid Response Plan
- Perform Employee background checks at hiring
- Limit access to data based on job function
- Immediate restricted access to data upon employee termination
- Log management/review of data access
- Period purging of sensitive data from computer systems and files
Business that are not already armed with a rapid response plan and who have not purchased a cyber insurance product to help fund the costs of the required responses also face an increased risk of loss of business reputation resulting in the loss of customers, now and in the future.
First Party Coverage (Coverage for losses incurred by Insured):
- Notification Expense
- Legal & Forensic services
- Crisis Management
- Good Faith Advertising
- Services for impacted individuals, i.e., credit monitoring, help line
- Limits available: $10k, $25k, $50k, $100,000k with deductibles of $1k or $2,500
Third Party Coverage (Coverage for losses arising from civil awards, settlements and judgments that insured is legally required to pay):
- Claims Made
- No deductible
- Limits available: $50k, $100k, $250k, $500k
Resource: Hartford EBC website - Identity Theft 911 has many resources for how to avoid data breach, what to do if you have a data breach.