[authors: Scott J Richardson, Esq., James Rough, Vishal Oza and Angela Sabbe]
There are numerous news reports of data and security breaches where customers' personal information, including social security numbers, credit cards numbers and health information have been compromised. In fact, they are so frequent that websites, such as databreaches.net, databreachwatch.org and privacyrights.org, now track and chronicle data breaches. Many smaller companies perceive that they are not at risk for a data breach. However, that may prove to be untrue and very costly. In this article, data and technology experts James Rough, Vishal Oza, and Angela Sabbe from Navigant address issues associated with the risks from, and protections against, data breaches.
What is data breach?
A data breach generally occurs when electronic or hardcopy data falls into the wrong hands. The potential for subsequent misuse or disclosure of the data then poses a significant risk of financial or other harm to the affected individuals or company. Data breaches vary greatly. Some are accidental, such as a thumb drive, smart phone or computer accidentally left on a plane, while others are intentional, such as a professional hacker gaining access to a company system with the intent to cause harm.
Why should I be concerned?
Your reputation and your company's reputation are at stake. You maintain sensitive information about your employees, clients and vendors that could wind up in the wrong hands. Ten or 15 years ago, data breach was not as regulated as it is today. As a result of the large increase in electronically stored data, new breach notification laws at the Federal and state level may require reporting a breach to the affected individuals and other interested parties. If appropriate steps are not taken after a breach occurs, individuals and companies could incur financial, reputational or other losses or face criminal or civil actions for non-compliance with relevant data privacy and security regulations.
What potential problems can arise from a data breach?
A wide range of repercussions could occur in the event of a data breach, including criminal charges if appropriate steps are not taken. The expense associated with fixing a data breach for some companies has been so large they had to file for bankruptcy protection.[i] While the monetary expense required to properly address a data breach can be high, it can take years for affected individuals to overcome the damage caused by a data breach.
What are some recent examples of data breach incidents and trends?
In one recent breach, a hospital agreed to pay $750,000 to settle allegations that it did not take adequate precautions to protect patient data. The case involved three boxes of tapes containing un-encrypted patient data that were shipped in February 2010 to a third-party contractor. The hospital learned in June 2010 that the contractor received just one of the three boxes. The data on the tapes included Social Security Numbers (SSNs), birth dates, health plans, diagnoses, and treatment information. A statement released by the Attorney General's office stated the hospital violated the Health Insurance Portability and Accountability Act (HIPAA) by failing to notify the contractor about the sensitive nature of the data on the tapes and by not ensuring that the contractor had appropriate security measures in place to protect the data. Sources indicate the hospital has since taken steps to improve its data security practices.[ii]
Another significant instance of data breach occurred at the US Federal Retirement Thrift Investment Board's (FRTIB) Thrift Savings Plan, when third party service provider Serco was hacked, compromising personal information of more than 123,000 participants. The FBI informed FRTIB and Serco of the breach in April. The compromised data included names, addresses, SSNs and, in some cases, financial account and routing numbers. FRTIB and Serco shut down the compromised system, conducted a forensic analysis to determine who was affected, and organized a response team to perform a comprehensive review of computer security procedures.[iii]
A third example involved a company that helps credit card companies process transactions for merchants. The breach was initially estimated to have affected one to three million accounts. While not all accounts were used in fraudulent transactions, the breach exposed millions of cardholders to the potential misuse of their personal information. The event highlighted that even a highly sophisticated company with proper encryption techniques can still experience a significant data breach.
Computers, servers, firewall logs, social media sites and even our cell phones are constantly generating data. As the volume of data and number of systems grow, it becomes more challenging to protect them. Attackers are becoming more sophisticated and are constantly finding new ways to exploit weaknesses in security controls to obtain valuable data. Motivations and agendas for these attacks vary; however, money is a common motivator. New examples of data breaches relate to mobile devices, mobile payment technologies, and cloud computing, yet trends point back to traditional causes that include: stolen or accidental loss of devices, malware and keystroke loggers transmitting data to attackers' servers, social engineering methods such as phishing e-mails, tailgating into office buildings, or exploiting compromised user credentials to access sensitive information.
What if I just ignore a breach?
Would you ignore a thief who broke into your house? Ignoring a data breach not only potentially compromises sensitive information; it also puts you at risk of monetary or criminal penalties. For example, "willful neglect" of Protected Health Information (PHI) carries penalties up to $1.5 million[iv] and potential criminal liability. Ignoring the problem can also expose you to lawsuits from Federal and state agencies,[v] customers, employees, business partners and vendors.
What controls should I have in place to protect against data breach?
Proper controls should address the risks associated with the people, processes, and technology within your organization. Start by identifying and classifying sensitive data, train employees to recognize sensitive data and the risks associated with it, and then design procedures and technical or physical controls to address the risks. Employees should also be trained in how to prevent, detect, and respond to data breaches.
You can put a security system on your house and a sign on your fence that says "Beware of dog," however that doesn't mean you will never be robbed. Many controls can help lower the risk of a data breach, but even with those controls in place, the possibility of a data breach still exists.
Consider the following:
Know your weaknesses and risks in advance. Consider utilizing penetration testing, sometimes referred to as "ethical hacking," to identify vulnerabilities in your systems and data security.
Implement technical controls, such as data encryption and intrusion detection, in combination with physical controls, such as restricting access to areas housing sensitive data.
Identify, in advance, an incident response team, including external counsel and technical experts.
Prepare an appropriate incident response plan.
Be familiar with laws and regulations affecting your company.
Incorporate and improve upon industry best practices and standards.
Ensure that all levels of employees are trained about the risks and their responsibilities to protect PHI and PII.
Build a culture of privacy and security.
In addition to protecting customer financial data and protected
health information, should I be concerned about protecting
other types of data?
Yes. Among other things, you should be concerned about your employees' personal information. After data breaches compromised employees' personal information at two companies, the Federal Trade Commission (FTC) required each company to undergo biennial independent security audits for 20 years following the breach. The FTC also imposed the same audit requirement on an online gaming website after a data breach exposed the e-mail addresses and passwords of 30 million users. Corporate trade secrets and other valuable information, including customer lists, pricing, product designs, and proprietary source code, are increasingly the target of theft and corporate espionage.
Can I transfer the financial costs of a data breach response?
Yes. Insurance companies are starting to offer cyber insurance to help clients protect against some risk associated with cyber-attacks and data breaches. The policies can be complex and are a fairly new entrant into the insurance market. You should consult your in-house insurance professional or a qualified insurance attorney to ensure proper coverage.
Do the regulations or penalties vary by state?
In addition to the HIPAA and HITECH regulations covering breaches of PHI in 46 states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring that companies and/or state agencies disclose to consumers security breaches involving personal information. Deadlines vary, but some states specify a breach should be investigated with reasonable expediency and require notifications to individuals and possibly state and Federal agencies. There are multiple national data breach bills currently before Congress in an attempt to unify national policy on this topic[vi].
Currently, Massachusetts law is stricter than many states'. It allows for monetary fines when a Massachusetts resident's data is breached or improperly disposed, regardless of where the data was maintained. The monetary fine is in addition to the other costs of responding to a data breach, which may include the investigation, notifications, establishment of a call center, and provision of credit monitoring and restoration services to impacted individuals. Additional costs for legal defense and regulatory response may also be incurred.
How expensive are data breaches for companies?
According to the Ponemon Institute,[vii] on average it costs companies nearly $194 per record breached. This excludes the cost of potential litigation and reputational damage. This varies across industries, with media, technology, and hospitality companies having an estimated cost per record breached of less than $140. Conversely, healthcare, pharmaceutical and financial companies have an estimated cost per record of $240. The total cost of healthcare breaches alone was estimated at $6.5 billion in 2011[viii].
Are these regulations and penalties limited to the United States?
No. In many other countries, personal information is considered property of the individual and is essentially licensed to a company for a specific purpose. Many Canadian provinces call for voluntary reporting of data breaches. Three provinces require mandatory reporting for data breaches involving health information. Alberta requires reporting with all types of data breaches. Recent proposed changes to the European Union Data Protection Directive would require notifying regulatory authorities within 24 hours of a data breach that could result in harm, including identity theft or fraud. Other proposed changes include the right to have data erased when it is no longer necessary for a company's use. Penalties under the proposed rules could be up to 2% of global revenue[ix].
About the Authors:
Scott Richardson is a business and insurance attorney at the Phoenix law firm of Jaburg Wilk. He assists clients with business issues, insurance coverage, licensing issues and litigation.
James Rough CFE, CCEP is an Associate Director in Navigant's Disputes & Investigations practice. He has twelve years of experience providing litigation, accounting, financial and forensic consulting services to organizations and their counsel involved in a variety of business issues and disputes. His areas of specialization include forensic investigations, financial restatements, white collar defense, and compliance consulting.
Vishal Oza is an Associate Director in Navigant's Disputes & Investigations practice and is the lead computer forensics expert in Los Angeles. He has dedicated his career to technology, and has over a decade of professional experience in the fields of computer forensics and information technology security. Mr. Oza provides services and solutions for clients in preparation of and response to matters involving data breach investigations, information security, digital forensic analysis, electronically stored information (ESI), and intellectual property theft.
Angela Sabbe is an Associate Director in Navigant's Disputes & Investigations practice. She has more than 12 years of experience performing complex, data-intensive financial analyses to determine damages or potential liabilities. She has extensive experience in all phases of electronic data management including data collection, validation and data quality assessment, and detailed data analysis. Her specialties include data and privacy breaches, class actions, wage and hour disputes, healthcare disputes and investigations, royalty and licensing audits, claims processing, and government investigations.
[i] Impairment Resources LLC filed for bankruptcy: http://www.compliancehelper.com/post/762185-hipaa-hitech-data-breach-causes-business; DigiNotar files for bankruptcy: http://www.symantec.com/threatreport/topic.jsp?id=threatreport&aid=against_the_breach
[iv] http://www.onlinetech.com/secure-hosting/hipaa-compliant-hosting/resources/hipaa-glossary-of-terms#Protected Health Information
[v] As of February 2012, 46 states already have some type of state security breach notification statutes including social security statutes and data security statutes
[vi] S. 1151, Personal Data Privacy Security Act of 2011: http://www.govtrack.us/congress/bills/112/s1151; SB 3333, the Data Security and Breach Notification Act of 2012: http://nakedsecurity.sophos.com/2012/06/23/us-senate-proposes-national-data-breach-notification-act/
[vii] Ponemon Institute 2011 Cost of Data Breach Study: http://www.symantec.com/content/en/us/about/media/pdfs/b-ponemon-2011-cost-of-data-breach-us.en-us.pdf
[viii] "The Second Annual Benchmark Study on Patient Privacy and Data Security," Ponemon Institute, December 2011.