BakerHostetler Data Security Incident Response Report Reveals Being "Compromise Ready" Better Positions Companies to Respond to Incidents

Second annual report shows shift in cause of incidents – phishing/hacking/malware is now number one; cybersecurity needs to remain a top priority

Press Releases / March 30, 2016

New York, March 30, 2016 ––According to the 2nd annual BakerHostetler Data Security Incident Response Report phishing/hacking/malware was the cause of 31% of data security incidents during 2015, revealing a shift from 2014 when human error was the leading cause. The report also continues the inaugural-year theme that no industry is immune to data security incidents – reinforcing that it is more important than ever that companies take action in advance to become ready for the inevitable incidents to come.

“Being ‘compromise ready’ better positions companies to respond to data security incidents faster, contain the threat, and potentially lessen the severity of these events,” explains Theodore Kobus, Leader of BakerHostetler’s Privacy and Data Protection team. “This year’s report has evolved to include more robust data to raise awareness of how these events take place, and also includes the action items companies should take to their boards of directors to plan for the inevitable data security incident.”

The full 2016 BakerHostetler Data Security Incident Response Report can be found here. The Privacy and Data Protection team will host a webinar on these findings on April 20 at noon ET.

The report, produced by the Privacy and Data Protection team at BakerHostetler, analyzes data from more than 300 incidents on which the firm advised in 2015. The report looks at causes of incidents, industries most affected, and what happens after a security incident is detected – from containment, to notification, to regulatory investigations and even lawsuits. A final section in the report provides the eight components of being compromise ready and identifies measures companies should take to minimize the impact of an incident.

Notable statistics from the report include:

  • Cause of incidents: phishing/hacking/malware (31%), employee actions/mistakes (24%), external theft (17%), vendor-related incidents (14%), internal theft (8%), and lost or improper disposal (6%).
  • No industry is immune: the healthcare industry (23%) was affected more than any other. Rounding out the top three are financial services (18%) and education (16%).
  • Number of individuals notified: for incidents in 2015 where notification was made, the average number of individuals notified was 269,609 and the median was 190,000.
  • 52% of the incidents that BakerHostetler helped manage in 2015 were self-detected.
  • Detection time – the time from when an incident first began until it was detected – ranged from 0 days to more than 400 days. The average amount of time from incident to discovery for all industries was 69 days, with healthcare taking nearly twice as long as other industries. Average amount of time from discovery to containment was 7 days.
  • Notification – the average amount of time from discovery to notification – was 40 days.
  • Not all incidents require notification to individuals or the public at large. In about 40% of the incidents that BakerHostetler helped manage in 2015, notification or public disclosure was not necessary.
  • Credit monitoring was offered in 53% of the incidents that BakerHostetler advised on in 2015 and the average redemption rate was 10%.
  • Regulatory inquiries resulted from 24% of incidents reported, and litigation commenced after 6% of the incidents were made public.

“While healthcare companies again topped the ‘Frequency of Breach Incidents by Industry’ list, our findings show that those incidents are less severe than those that occur in other industries on average. In fact, topping the severity list by number of individuals affected was restaurants/hospitality, mostly due to financially motivated attacker groups moving their focus from grocers and big-box retailers to restaurants, hotels, and casinos,” explains Kobus.

Compromise Ready

“Every company should be constantly focused on preventing, detecting, and having the right capabilities in place to respond to incidents. Accepting that incidents are inevitable does not mean that you stop trying to prevent them. In addition to reducing risk profiles through information governance and implementing preventative security measures, companies must focus on adapting measures to changing risks along with faster detection and containment to effectively respond,” says BakerHostetler Privacy and Data Protection team Partner Craig Hoffman.

“The bottom line is that the key to successful and rapid containment is to plan for the inevitable incident. Companies that have identified the forensic firm they will work with, have a master services agreement in place, and have conducted scenario planning usually reach containment faster and with less impact to business operations and reputation,” says Kobus.

###

About BakerHostetler
Celebrating the 100th anniversary of its founding this year, BakerHostetler is a leading national law firm that helps clients around the world to address their most complex and critical business and regulatory issues. With five core national practice groups – Business, Employment, Intellectual Property, Litigation, and Tax – the firm has more than 940 lawyers located in 14 offices coast to coast. Recognized for its role as court-appointed counsel to the Securities Investor Protection Act (SIPA) Trustee in the recovery of billions of dollars in principal lost in the Ponzi scheme perpetrated by Bernard L. Madoff, BakerHostetler is widely regarded as having one of the country’s top 10 tax practices, a nationally recognized litigation practice, an award-winning data privacy practice, and an industry-leading business practice. For more information, visit bakerlaw.com.

Contact:

Tracy Hager, 303.764.4090 (thager@bakerlaw.com), or Stephanie Moore, 216.861.7106 (semoore@bakerlaw.com)

Blog

In The Blogs

Previous Next
Data Counsel
Ann O'Brien, Jeewon Serrato, Alyse Stach Author Article Examining Privacy and Antitrust Issues
By Ann M. O'Brien, Jeewon K. Serrato, Alyse F. Stach
June 29, 2020
Partners Ann O’Brien and Jeewon Serrato and Associate Alyse Stach authored an article published by the International Association of Privacy Professionals (IAPP) on June 23, 2020. The article, “The Thin Line Between Privacy and Antitrust,”...
Read More ->
Data Counsel
CPRA Moves Forward Despite COVID-19 Woes
By Taylor A. Bloom, Kyle R. Fath
June 24, 2020
On Friday, June 19, the Superior Court of California issued a ruling that paved the way for Californians to see the California Privacy Rights Act (CPRA) on the ballot in November. In its ruling, the court recognized that Alastair...
Read More ->
Data Counsel
The Destruction of Privilege and Work Product Protection for Data Breach Investigations?
By Joseph L. Bruemmer, David A. Carney, Casie D. Collignon, Joseph P. Collins, Craig A. Hoffman, Thomas E. Hogan, Theodore J. Kobus III, Aleksandra Vold
June 17, 2020
Attorneys play an important role in the incident response process. A skilled and experienced attorney can help organizations effectively respond to a security incident in a way that complies with obligations, protects key relationships...
Read More ->
Data Counsel
Welcome to Data Counsel
By Theodore J. Kobus III
June 14, 2020
Dear Friends, In January, we announced the creation of the firm’s 6th practice group—Digital Assets and Data Management. Since September 2010, members of our group have been covering privacy and security topics through our Data Privacy...
Read More ->
Data Counsel
CCPA Final Regulations Published in Advance of July 1 Enforcement Date
By Alan L. Friel, Jeewon K. Serrato
June 10, 2020
On June 1, 2020, the Office of the California Attorney General (OAG) submitted the final proposed regulations (final regs) under the California Consumer Privacy Act (CCPA or the Title) to the California Office of Administrative Law (OAL)...
Read More ->