This post was co-authored by Christine M. Prokopick, an associate in Montgomery McCracken’s Litigation Department. She serves an editor of the firm’s White Collar Alert blog, which focuses on white collar crime and government investigations. Christine can be reached at 215.772.7233 or at firstname.lastname@example.org.
Nearly every day, the news media tells us about the consequences of the latest attack from sophisticated groups of foreign and domestic hackers. These shadowy groups gain access to treasure troves of personal information that is be sold on the black market or used to embarrass and blackmail individuals. It’s a compelling story, one that sells advertising, racks up page views, and can even be made into a Hollywood blockbuster. But such media reports don’t address and often obscure the real security risks every organization faces. So what are the day-to-day risks that your organization should address in its data privacy plan?
Recently, Verizon released their 2015 Data Breach Investigations Report. The report is a comprehensive look into what organizations should do to protect customers’ personal information. Data breaches, which the report defines as any “incident that resulted in confirmed disclosure (not just exposure) to an unauthorized party,” occurred across practically all industries, but were confined to just a handful of common ‘types’ of breaches. The report separates data breaches into nine distinct categories: crimeware, cyber-espionage, denial of service, physical theft/loss, miscellaneous errors, payment card skimmers, point of sale, insider misuse, and webapp attacks.
Given the media reports, it’s obvious that external cyber threats are the top categories on which to focus your organization’s data privacy efforts, right? Surprisingly, in the healthcare industry, where personally identifiable information (such as social security numbers, dates of birth and addresses) and highly confidential personal health information (such as medical records and health insurance information) are readily available, external intrusions such as cyber-espionage and webapp attacks account for only 13% of the data breaches … combined. Far more prevalent threats are physical theft/loss (16%), miscellaneous errors (32%), and most importantly, insider misuse (26%). And, these trends predominate across all industries. In fact, breaches caused by mistakes or purposeful misuse by an organization’s employees account for 90.4% of all reported security incidents.
Data breaches by employees also regularly end up in court and can result in potentially expensive class-action litigation. Florida Hospital, which was forced to litigate a lawsuit relating to data breaches by its employees in 2011, now has to deal with a second class action lawsuit related to a separate breach by different employees discovered in 2014. These incidents are not isolated; for example, Healthfirst Inc. reported a breach of personal information for 5,300 of its members just this week.
Companies should be proactive with their data security plans across all fronts, especially in light of the recent victory for Plaintiffs in Remijas v. Neiman Marcus Group. While external breaches will continue to get the lion’s share of media coverage, any comprehensive plan to prevent and detect breaches must also include a plan to deal with potential threats from those within the organization. It is the employees you trust, just as much as the hackers you don’t, that can cause a breach and put your organization at risk. Who knows, with enough attention from companies seeking to prevent the largest source of data breaches, maybe Hollywood will make a blockbuster about the most famous insider data breach of all time and the tremendous fallout that resulted.
Ensure that your organization’s data privacy plans are designed to combat all potential threats, not just those that grab the headlines.