Over the last ten years, an increasing number of high-profile brands, businesses and media figures have been the victims – or unwitting aides – in data breaches around the world. Major retailer Target came under fire in 2015 when it was revealed that a substantial data breach had affected 40 million customers. In December 2015, the company agreed to a $39 million settlement with several of the affected banks. This settlement was paid out on top of two additional settlements during the same year, one in August for $67 million and another in April for $10 million.
In October 2015, Sony Pictures settled its data breach case for $8 million. The previous year, hackers from North Korea had infiltrated the company’s computer systems in retaliation for Sony’s film The Interview. The hackers gained access to a bevy of compromising information, and it was considered the biggest data breach of the century by some media outlets. In the settlement, Sony admitted no wrongdoing, despite allegations from former employees that the company knew about its security issues and assumed the risk rather than addressing them.
A recent study by IBM and the Ponemon Institute examined the global impact of data breaches. In 2015, companies spent an average of $154 per incident of stolen or lost data, which represents a 6 percent increase from 2014. Among the companies surveyed, the average total cost of a data breach was about $3.8 million, a 23 percent increase since 2013. The retail sector suffered substantial losses. From 2014 to 2015, retail alone saw an increase in data breach-based costs from $105 per instance to $165 per lost or stolen record.
Despite the rise in data breaches worldwide, some companies have yet to take a proactive or vigorous approach to reducing this problem. Even worse, some organizations still lack a comprehensive policy for addressing data breaches if and when they occur. Data security matters. In an age where technology makes or breaks success, companies need a strategy for preventing, addressing and recovering from data theft. Otherwise, they risk not only monetary loss but substantial and sometimes permanent reputation damage. Without addressing the problem, businesses stand to lose:
- Money: Not only will businesses have to recoup any actual cash value that might have been compromised in a breach, but security theft can affect customers’ sensitive information. Legal fees, compensation and other expenses are just the tip of the iceberg when it comes to monetary loss.
- Legal cases: The bigger the brand, the more likely it is that lawsuits and litigation will follow a data breach. Customers may have legitimate claims for wrongdoing or negligence, leading to lengthy legal battles and possibly substantial payouts.
- Customers: Customers depend on companies to keep their information secure. A break in this implicit trust will often lead to a loss of customer, even loyal ones and even those who weren’t impacted by the breach.
- Share values: As a company loses customers and reputation, share values will inevitably plummet. No one wants to invest in a company that can’t keep its data safe. One estimate indicates that a company could lose 3 percent of its market value due solely to a data breach.
- Good reputations: Perhaps the biggest intangible impact, a loss of good reputation seals a company’s fate. No matter the brand, customers will have a hard time trusting any entity that doesn’t take data security seriously. In a 2012 survey of 700 companies conducted by the Ponemon Institute, 54 percent of respondents thought that it would take anywhere from 10 months to two years to rebuild a solid reputation after a data breach.
Large companies with global reputations stand to lose big when it comes to data breaches, but small businesses aren’t immune to the problem. In fact, 90 percent of data breaches affect small businesses, with the most affected industries being retail, food and drink, and hospitality. Cyber criminals target small businesses because they assume – often correctly – that smaller organizations don’t have the same level of security that larger brands do. For small businesses, the average cost to address a data breach is around $36,000, but some companies will pay much more than this.
It’s clear that data breaches pose a significant threat to businesses, notwithstanding the effects of individual customers and those directly affected. But how do these situations occur? In a world that depends on the Internet, computers, and strong security systems, how do big data breaches happen in the first place? By looking at the causes and understanding the effects, businesses can work toward resolving this devastating issue.
What causes a breach in security?
Data breaches are caused by three major factors according to independent research: targeted attacks, well-intentioned insiders and malicious insiders. More often than not, a combination of these factors leads to a data breach. While malicious attacks get the most press, most data breaches are actually caused by employees who fail to follow proper security protocols. Mishandling of data enables third-party attacks, but it also allows sensitive information to fall into the wrong hands by accident. Negligence accounts for about 88 percent of data breaches according to one Ponemon study, and there are five major sources of insider negligence:
- Stolen laptops
- Data left on unprotected desktops and servers
- Unsecured email and mobile devices
- Insufficient third-party procedures
- Outdated business practices
Perhaps more troubling is malicious insider attacks, which account for a growing number of data breaches. Disgruntled employees, people who have lost their jobs, white collar criminals and corporate spies purposely steal company information for personal or monetary gain. Their intent may not be identity theft, but the effect can be as devastating depending on the information that they steal. Malicious insiders often keep unsecured data on their personal computers, which in itself opens up the possibility of third-party attacks.
You’re more likely to hear about targeted attacks on the news because these situations, while not as common as well-intentioned insider negligence, reveal just how weak certain security systems are. Like an elaborate bank robbery scheme, targeted attacks typically happen in phases: incursion, discovery, capture and exfiltration.
- During the incursion phase, hackers will infiltrate a system using various methods. They may brute-force a password, look for vulnerabilities in the network or inject malware into a company’s system to reveal critical information.
- Next, cyber criminals will look for data that they can use. They’ll map out the company’s systems and identify valuable information.
- Once they know what to look for, hackers will create a customized plan for acquiring the data. They’ll target the most easily accessible bits of information first – like files stored on unsecured servers – and go after harder-to-find data next. To a sophisticated cyber criminal, nothing is off limits.
- Finally, thieves will exfiltrate the data, sending it to a home base either through email or encrypted files.
These scenarios represent a majority of high-profile data breach cases, but companies are also vulnerable to attack for other reasons. Travelers Insurance demonstrated how easy it would be to hack into a site with basic security measures in place. In the demonstration, a basic website was created, and the Travelers security team broke into the site in a few minutes, proving that the average business is more susceptible to attack than one with top-of-the-line barriers. A 2015 data breach report by Verizon revealed that weak security credentials accounted for 76 percent of network intrusions. More accomplished hackers could have taken over Travelers’s fake site in even less time, so it should come as no surprise that many businesses simply leave themselves open to cyber crime without realizing it.
What do cyber criminals want?
One of the biggest direct impacts on consumers is monetary loss. Stolen credit or debit cards can lead to big charges with little hope of recovery. However, hackers aren’t only interested in money, at least not in the short term. A casual cyber criminal could hack into your bank account and drain the account, but chances are that he won’t benefit much from a one-time theft. Criminals who engage in data breaches are typically looking for more information, such as your social security number and address, the kind that can help them open up new accounts in your name. In essence, they’re looking to steal identities, and dedicated criminals are usually successful.
How prevalent is this issue? The numbers are shockingly high, especially within the last couple of years. In May 2014, CNN reported that about 47 percent of American adults had been hacked, and an astounding 432 million individual accounts had been exposed in the process. The news outlet also reported that companies like Michaels, Target, Adobe, Snapchat and Neiman Marcus had been breached, accounting for the compromised security of nearly 112 million customers combined. Even more disturbing, all of eBay’s 148 million customers were also exposed.
Retailers and eCommerce sites aren’t the only industries affected by data breaches. Anything you do online – from paying your mortgage to setting up dental appointments – can be the target of a data breach. In fact, your medical records may have already been hacked according to The Huffington Post. A Ponemon Institute survey found that 94 percent of healthcare industry respondents had suffered a data breach in 2012, up about 65 percent from the year before. Worse still, less than half of the organizations that were surveyed reported that they didn’t know if they could keep it from happening again – and some of them didn’t even know that it was happening in the first place. From 2005 to 2014, medical and healthcare records accounted for over 26 percent of data breaches in the U.S., with hacking ranked as the number one method for stealing information.
So what if a hacker wants to see how many times you’ve been to the ER in the last five years? Are medical records really that valuable? The short answer is yes. The longer answer is that medical records can be 10 times more valuable than your credit card number to the right person. In 2014, Chinese hackers stole personal information for 4.5 million people via medical records. On the black market, medical records are big sellers. With this information, black hatters can:
- Generate fake IDs using your real information
- Get prescriptions or medical equipment in your name and resell it
- File fake claims with insurers using a patient number and a false provider number
The healthcare industry is particularly susceptible to attack because many facilities simply lack high-end security features and the latest technology. Plus, medical identity theft can take years to be noticed, which allows criminals to game the system for much longer than they would be able to with a credit card scam. In terms of money, cyber criminals can get $10 for each stolen health record, which is 10 to 20 times the value of a credit card number.
Medical identity theft may be on the rise, but you’re probably more familiar with the risk of more traditional scams, such as stolen credit cards or social security numbers. But who wants this information, and why? If your social security number falls into the wrong hands, do you know what happens to it?
According to PrivacyMatters.com, data that gets stolen will ultimately “end up on a network of illegal trading sites where hackers and criminals from around the world will openly buy and sell large amounts of personal data for profit.” The site goes on to profile today’s computer hackers: “The criminals who used to lurk in doorways armed with a crowbar now lurk in front of laptops armed with a chai latte.” In essence, cyber criminals treat identity theft like a job – a high-risk, high-rewards job that creates mass panic and devastation depending on the target.
Today’s hackers are no longer tech-savvy, angst-ridden twentysomethings looking for 15 minutes of fame. They’re sophisticated criminals with malicious motive and the ability to buy, sell and trade information on more than 4,000 black market websites dedicated to the task of identity theft. Many of them now work in teams, installing malware on the computer systems of specific, targeted organizations that will yield high rewards. The U.S. government takes identity theft seriously, encouraging people to report suspicious or fraudulent activity to local and federal authorities. Unfortunately, mom-and-pop stores, hospitals and even major retailers have failed to take these cyber crimes as seriously as they should.
Are there legal requirements after a data breach?
Data breaches occur for several reasons, from security lapses to concentrated effort. But an organization’s readiness beforehand and its response after the fact play important roles in the future of security compromises. One of the biggest questions we need to ask is whether organizations are being held accountable when big data breaches occur. What are the legal requirements, and are they adequate?
According to the National Conference of State Legislatures, not every state has a law in place requiring organizations to notify affected parties when their personal information is compromised. As of January 2016, 47 states, the District of Columbia, Puerto Rico, Guam and the Virgin Islands have legislation in place that demands notification. Each state or territory sets its own guidelines for how notification must take place, which entities are required to act and what constitutes a security breach of personally identifiable information. Alabama, New Mexico and South Dakota do not have laws in place requiring notification. Davis Wright Tremaine LLP offers an interactive map of state laws on data breach notification.
Individual states may choose how to notify victims of a data breach, but the federal government has also set stipulations for notification within certain parameters. According to The Personal Data Notification & Protection Act:
Any business entity engaged in or affecting interstate commerce, that uses, accesses, transmits, stores, disposes of or collects sensitive personally identifiable information about more than 10,000 individuals during any 12-month period shall, following the discovery of a security breach of such information, notify any individual whose sensitive personally identifiable information has been, or is reasonably believed to have been, accessed or acquired, unless there is no reasonable risk of harm or fraud to such individual.
Furthermore, organizations that fall under the guidelines outlined above have 30 days from when they learn of a data breach to notify affected individuals unless they need more time to determine the scope of the breach. The government also outlines acceptable forms of notification and what the notices must contain. A notification should be at least one of the following:
- A personal phone call
- A letter to the last known home mailing address that the company has on file
- An email as long as the affected individual has previously given consent to be contacted via email
- A targeted media release if the breach affects more than 5,000 people
The notice has to contain a description of the data breach and what information was potentially taken, a toll-free contact number for the organization, and toll-free phone numbers and addresses for the Federal Trade Commission and the major credit reporting bureaus.
How can organizations rectify the situation?
Legally, large companies that engage in interstate commerce are required to give notice to victims of data breaches, but it should go without saying that the bare minimum a company can do to rectify the situation is to notify its client base about the problem. Even organizations that are exempt from the Data Protection Act, such as small businesses or those that don’t operate across state lines, should make every effort to inform clients about security compromises. However bad a data breach looks at the outset, it will look a lot worse in the long run if a company attempts to bury the information without notice.
Certainly notification is the first step toward rectifying a data breach, but there are other ways for organizations to recoup their losses and regain customer trust. Despite the number of times that Target has been breached over the last few years, people continue to shop there. How a company responds to security threats will determine its future. After notifying the affected individuals, here are some important ways for a company to handle the aftermath of data theft:
- Invite customer feedback. Make customers part of the conversation. Inviting criticism directly will open a dialogue and empower customers to feel more in control after a data breach.
- Offer identity theft protection to customers. Companies should offer free identity theft protection software to customers whose data gets stolen. This gesture not only generates goodwill, but it also helps those without financial recourse to navigate the Herculean task of recovering from identity theft.
- Hire an appropriate security team. If an organization doesn’t have a good team in place before an attack, then it should invest in the right people afterwards. A proper security team, even one hired on a contracted basis, can work to prevent future problems.
- Upgrade the existing infrastructure. Companies that get hacked need to seriously consider upgrading their equipment and their infrastructure to avoid long-term issues. It’s a costly endeavor that could save millions in the long run. Identifying weak points will reduce the risk of repeated hacks.
In this case, the best defense is a good offense. For larger companies in particular, there’s no excuse not to hire security professionals to create, implement and oversee a comprehensive data breach plan in case of attack. But even smaller organizations would benefit from taking the time to implement better security features. Cyber insurance can also help organizations in the aftermath of a data breach. Conducting business in an always-on, computer-based society comes with the responsibility of keeping customers’ data safe, secure and private.