Data Breach - What are the Risks to My Company?

by Jaburg Wilk
Contact

[authors: Scott J Richardson, Esq., James Rough, Vishal Oza and Angela Sabbe]

There are numerous news reports of data and security breaches where customers' personal information, including social security numbers, credit cards numbers and health information have been compromised.  In fact, they are so frequent that websites, such as databreaches.net, databreachwatch.org and privacyrights.org, now track and chronicle data breaches.  Many smaller companies perceive that they are not at risk for a data breach.  However, that may prove to be untrue and very costly.  In this article, data and technology experts James Rough, Vishal Oza, and Angela Sabbe from Navigant address issues associated with the risks from, and protections against, data breaches.

What is data breach?

A data breach generally occurs when electronic or hardcopy data falls into the wrong hands. The potential for subsequent misuse or disclosure of the data then poses a significant risk of financial or other harm to the affected individuals or company. Data breaches vary greatly. Some are accidental, such as a thumb drive, smart phone or computer accidentally left on a plane, while others are intentional, such as a professional hacker gaining access to a company system with the intent to cause harm.

Why should I be concerned?

Your reputation and your company's reputation are at stake. You maintain sensitive information about your employees, clients and vendors that could wind up in the wrong hands.  Ten or 15 years ago, data breach was not as regulated as it is today.  As a result of the large increase in electronically stored data, new breach notification laws at the Federal and state level may require reporting a breach to the affected individuals and other interested parties. If appropriate steps are not taken after a breach occurs, individuals and companies could incur financial, reputational or other losses or face criminal or civil actions for non-compliance with relevant data privacy and security regulations.

What potential problems can arise from a data breach?

A wide range of repercussions could occur in the event of a data breach, including criminal charges if appropriate steps are not taken.  The expense associated with fixing a data breach for some companies has been so large they had to file for bankruptcy protection.[i] While the monetary expense required to properly address a data breach can be high, it can take years for affected individuals to overcome the damage caused by a data breach.

What are some recent examples of data breach incidents and trends?

In one recent breach, a hospital agreed to pay $750,000 to settle allegations that it did not take adequate precautions to protect patient data. The case involved three boxes of tapes containing un-encrypted patient data that were shipped in February 2010 to a third-party contractor. The hospital learned in June 2010 that the contractor received just one of the three boxes. The data on the tapes included Social Security Numbers (SSNs), birth dates, health plans, diagnoses, and treatment information. A statement released by the Attorney General's office stated the hospital violated the Health Insurance Portability and Accountability Act (HIPAA) by failing to notify the contractor about the sensitive nature of the data on the tapes and by not ensuring that the contractor had appropriate security measures in place to protect the data. Sources indicate the hospital has since taken steps to improve its data security practices.[ii]

Another significant instance of data breach occurred at the US Federal Retirement Thrift Investment Board's (FRTIB) Thrift Savings Plan, when third party service provider Serco was hacked, compromising personal information of more than 123,000 participants. The FBI informed FRTIB and Serco of the breach in April. The compromised data included names, addresses, SSNs and, in some cases, financial account and routing numbers.  FRTIB and Serco shut down the compromised system, conducted a forensic analysis to determine who was affected, and organized a response team to perform a comprehensive review of computer security procedures.[iii]

A third example involved a company that helps credit card companies process transactions for merchants.  The breach was initially estimated to have affected one to three million accounts. While not all accounts were used in fraudulent transactions, the breach exposed millions of cardholders to the potential misuse of their personal information.  The event highlighted that even a highly sophisticated company with proper encryption techniques can still experience a significant data breach.

Computers, servers, firewall logs, social media sites and even our cell phones are constantly generating data.  As the volume of data and number of systems grow, it becomes more challenging to protect them.  Attackers are becoming more sophisticated and are constantly finding new ways to exploit weaknesses in security controls to obtain valuable data.  Motivations and agendas for these attacks vary; however, money is a common motivator.  New examples of data breaches relate to mobile devices, mobile payment technologies, and cloud computing, yet trends point back to traditional causes that include: stolen or accidental loss of devices, malware and keystroke loggers transmitting data to attackers' servers, social engineering methods such as phishing e-mails, tailgating into office buildings, or exploiting compromised user credentials to access sensitive information.

What if I just ignore a breach?

Would you ignore a thief who broke into your house?  Ignoring a data breach not only potentially compromises sensitive information; it also puts you at risk of monetary or criminal penalties.  For example, "willful neglect" of Protected Health Information (PHI) carries penalties up to $1.5 million[iv] and potential criminal liability.  Ignoring the problem can also expose you to lawsuits from Federal and state agencies,[v] customers, employees, business partners and vendors.

What controls should I have in place to protect against data breach?

Proper controls should address the risks associated with the people, processes, and technology within your organization.  Start by identifying and classifying sensitive data, train employees to recognize sensitive data and the risks associated with it, and then design procedures and technical or physical controls to address the risks.  Employees should also be trained in how to prevent, detect, and respond to data breaches.

You can put a security system on your house and a sign on your fence that says "Beware of dog," however that doesn't mean you will never be robbed.  Many controls can help lower the risk of a data breach, but even with those controls in place, the possibility of a data breach still exists.

Consider the following:

  1. Know your weaknesses and risks in advance.  Consider utilizing penetration testing, sometimes referred to as "ethical hacking," to identify vulnerabilities in your systems and data security.
  2. Implement technical controls, such as data encryption and intrusion detection, in combination with physical controls, such as restricting access to areas housing sensitive data.
  3. Identify, in advance, an incident response team, including external counsel and technical experts.
  4. Prepare an appropriate incident response plan.
  5. Be familiar with laws and regulations affecting your company.
  6. Incorporate and improve upon industry best practices and standards.
  7. Ensure that all levels of employees are trained about the risks and their responsibilities to protect PHI and PII.
  8. Build a culture of privacy and security.

In addition to protecting customer financial data and protected
health information, should I be concerned about protecting
other types of data?

Yes.  Among other things, you should be concerned about your employees' personal information.  After data breaches compromised employees' personal information at two companies, the Federal Trade Commission (FTC) required each company to undergo biennial independent security audits for 20 years following the breach.  The FTC also imposed the same audit requirement on an online gaming website after a data breach exposed the e-mail addresses and passwords of 30 million users.  Corporate trade secrets and other valuable information, including customer lists, pricing, product designs, and proprietary source code, are increasingly the target of theft and corporate espionage.

Can I transfer the financial costs of a data breach response?

Yes.  Insurance companies are starting to offer cyber insurance to help clients protect against some risk associated with cyber-attacks and data breaches.   The policies can be complex and are a fairly new entrant into the insurance market.  You should consult your in-house insurance professional or a qualified insurance attorney to ensure proper coverage.

Do the regulations or penalties vary by state?

In addition to the HIPAA and HITECH regulations covering breaches of PHI in 46 states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring that companies and/or state agencies disclose to consumers security breaches involving personal information.  Deadlines vary, but some states specify a breach should be investigated with reasonable expediency and require notifications to individuals and possibly state and Federal agencies.  There are multiple national data breach bills currently before Congress in an attempt to unify national policy on this topic[vi].

Currently, Massachusetts law is stricter than many states'.  It allows for monetary fines when a Massachusetts resident's data is breached or improperly disposed, regardless of where the data was maintained.  The monetary fine is in addition to the other costs of responding to a data breach, which may include the investigation, notifications, establishment of a call center, and provision of credit monitoring and restoration services to impacted individuals.  Additional costs for legal defense and regulatory response may also be incurred.

How expensive are data breaches for companies?

According to the Ponemon Institute,[vii] on average it costs companies nearly $194 per record breached.  This excludes the cost of potential litigation and reputational damage.  This varies across industries, with media, technology, and hospitality companies having an estimated cost per record breached of less than $140.  Conversely, healthcare, pharmaceutical and financial companies have an estimated cost per record of $240.  The total cost of healthcare breaches alone was estimated at $6.5 billion in 2011[viii].

Are these regulations and penalties limited to the United States?

No. In many other countries, personal information is considered property of the individual and is essentially licensed to a company for a specific purpose.  Many Canadian provinces call for voluntary reporting of data breaches.  Three provinces require mandatory reporting for data breaches involving health information.  Alberta requires reporting with all types of data breaches.  Recent proposed changes to the European Union Data Protection Directive would require notifying regulatory authorities within 24 hours of a data breach that could result in harm, including identity theft or fraud.  Other proposed changes include the right to have data erased when it is no longer necessary for a company's use.  Penalties under the proposed rules could be up to 2% of global revenue[ix]. 
 

About the Authors:

Scott Richardson is a business and insurance attorney at the Phoenix law firm of Jaburg Wilk. He assists clients with business issues, insurance coverage, licensing issues and litigation.

James Rough CFE, CCEP is an Associate Director in Navigant's Disputes & Investigations practice. He has twelve years of experience providing litigation, accounting, financial and forensic consulting services to organizations and their counsel involved in a variety of business issues and disputes. His areas of specialization include forensic investigations, financial restatements, white collar defense, and compliance consulting.

Vishal Oza is an Associate Director in Navigant's Disputes & Investigations practice and is the lead computer forensics expert in Los Angeles. He has dedicated his career to technology, and has over a decade of professional experience in the fields of computer forensics and information technology security. Mr. Oza provides services and solutions for clients in preparation of and response to matters involving data breach investigations, information security, digital forensic analysis, electronically stored information (ESI), and intellectual property theft.

Angela Sabbe is an Associate Director in Navigant's Disputes & Investigations practice.  She has more than 12 years of experience performing complex, data-intensive financial analyses to determine damages or potential liabilities. She has extensive experience in all phases of electronic data management including data collection, validation and data quality assessment, and detailed data analysis. Her specialties include data and privacy breaches, class actions, wage and hour disputes, healthcare disputes and investigations, royalty and licensing audits, claims processing, and government investigations.

-------------------

[i] Impairment Resources LLC filed for bankruptcy:  http://www.compliancehelper.com/post/762185-hipaa-hitech-data-breach-causes-business;  DigiNotar files for bankruptcy: http://www.symantec.com/threatreport/topic.jsp?id=threatreport&aid=against_the_breach

[ii] http://www.scmagazine.com/hospital-agrees-to-pay-750000-over-data-breach-allegations/article/242920/

[iii] http://www.govexec.com/pay-benefits/2012/05/tsp-accounts-exposed-breach/55927/

[iv] http://www.onlinetech.com/secure-hosting/hipaa-compliant-hosting/resources/hipaa-glossary-of-terms#Protected Health Information

[v] As of February 2012, 46 states already have some type of state security breach notification statutes including social security statutes and data security statutes

[vi] S.  1151, Personal Data Privacy Security Act of 2011: http://www.govtrack.us/congress/bills/112/s1151; SB 3333, the Data Security and Breach Notification Act of 2012:  http://nakedsecurity.sophos.com/2012/06/23/us-senate-proposes-national-data-breach-notification-act/

[vii] Ponemon Institute 2011 Cost of Data Breach Study:  http://www.symantec.com/content/en/us/about/media/pdfs/b-ponemon-2011-cost-of-data-breach-us.en-us.pdf

[viii] "The Second Annual Benchmark Study on Patient Privacy and Data Security," Ponemon Institute, December 2011.

[ix] http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Jaburg Wilk | Attorney Advertising

Written by:

Jaburg Wilk
Contact
more
less

Jaburg Wilk on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.