BY JONATHAN STUTZ, CPCU, MORETON & COMPANY
As the world becomes more connected through increased e-commerce and data accessibility, the risk of data breach and the loss of personal information also rise. Over the last few years alone, there have been significant cyber attacks where a large amount of digital information was stolen, leaving many exposed.
These security breaches are no longer the exception; however, they instead exemplify the cyber risk that every organization faces. While not every country’s privacy laws require that they report security breaches to consumers, researchers are finding that of the known breaches, according to a recent survey, organizations faced an average of 10 or more security incidents each day. Many organizations fail to understand the risks that come with being stewards of private data.
To understand cyber risk, it’s important to understand the types of data security breaches that can, and do, occur. Many times a breach will happen when data has not been disposed of properly.
While traditionally this includes un-shredded documents, unlocked or unchecked file cabinets, or even prescription bottles, today there are many more electronic assets that need protecting. These assets include computers, smart phones, tablets, backup tapes, hard drives, servers, copiers, fax machines, scanners, and printers.
Additional types of breaches come in the form of online phishing attacks, or social engineering. Other outside attacks include: network intrusions, hacks, malware, viruses, and ransomware. An inside attack can also occur, whether accidental or not, when a member of an organization loses, misplaces, or even steals electronic or hard copy assets. A breach can be the fault of insider misuse when there is a failure to follow internal policies and procedures, an accidental disclosure takes place, or when there is a rogue employee, student, or visitor.
According to a 2015 Verizon survey, the AVERAGE FINANCIAL LOSS for every 1,000 records stolen was between $52,000 AND $87,000.
According to a 2015 Verizon survey, the average financial loss for every 1,000 records stolen was between $52,000 and $87,000. And according to Ponemon, health care related breaches cost the most of any industry, averaging $233 per breached record.
Although it may seem that many cyber criminals are often after credit card information or even intellectual property, organizations with health records are also at great risk, as data thieves steal medical information for a variety of reasons. Recently, in Salt Lake City, a woman stole a medical identity and tested positive for methamphetamine. This nearly caused an innocent woman’s children to be taken into state custody.
Small businesses have been hit particularly hard by cyber breaches. Most cyber security experts agree that small and midsized enterprises are more attractive targets because they tend to be less secure. In the past it may have been true that cyber criminals viewed small businesses as too insignificant to attract interest, however, with modern automation, cyber criminals can now “mass produce” attacks for little investment. The quick spread of ransomware, like CryptoLocker, is a testament to this trend. In the United States, 48 states have consumer privacy laws— though all different, they define what is considered personal information that triggers a notification, notification language, timing, and they may require a risk of harm analysis. These privacy laws may also require notice to the attorney general or a state agency and may have an encryption safe harbor. When it comes to the health care industry, there are additional federal protections in place, with the Health Insurance Portability and Accountability Act (HIPAA), which was passed into law in 1996. HIPAA had some teeth with regard to penalties assessed when medical records were breached, but did not require a HIPAA covered entity to notify or disclose a breach of medical record data. As such, in 2009 the Health Information Technology for Economic and Clinical Health (HITECH) provisions now require notification to impacted individuals and the U.S. Department of Health & Human Services, as well as the media. Further, HITECH imposes very stiff penalties for breaches of patient medical record data with no cap and penalties determined by how egregious the lacks of controls that contributed to the breach. This active regulatory involvement in the health care industry makes any medical record breach a tenuous and most likely a very expensive experience. Despite state, national, and even some international privacy laws in place, data security experts see a security breach as unavoidable, in fact, there is a good chance your organization has already been breached in some respect. How can organizations mitigate and reduce the risks? Research shows that many organizations are missing a few key items that will improve their outcomes when a breach occurs, those include: a proper protections and incident response plan, an insurance policy, and a practice session—which will become more important as lawmakers seek to add an additional cost burden to organizations that suffer system security breaches. It is the basic security measures and the continual validating of them that will help organizations remain strong against breaches.