BakerHostetler's 5th Annual Data Security Incident Response Report Highlights Collision of Privacy, Cybersecurity and Compliance; Details Efforts to Minimize Risk

Findings and analysis from 750 data breaches and cyberattacks handled in 2018

Press Releases / April 4, 2019

NEW YORK – April 4, 2019 – BakerHostetler’s privacy and data protection team released its 2019 Data Security Incident Response Report, which leverages the metrics and insights drawn from 750 potential incidents in 2018 to help entities identify and prioritize the measures necessary to address their digital risk posture.

“Privacy laws around the globe are shifting the way companies prepare for and manage data breaches. Our report highlights the collision of data security, privacy and compliance, and provides guidance on how companies can take action on key response items,” said Theodore J. Kobus III, leader of BakerHostetler’s privacy and data protection team.

Now in its fifth consecutive year as the only report of its kind produced by a law firm, the report includes metrics related to key incident response areas of concern for entities of all sizes and across all industries.

Trends in incident cause and response metrics:

Phishing remains the leading cause of incidents tracked by the report, and roughly one-quarter of all incidents BakerHostetler responded to in the past year were caused by lost devices, inadvertent disclosures or system misconfigurations. Across the 750 incidents analyzed, 55% had employees involved as the responsible party, through a mix of simple mistakes, to falling for phishing or being socially engineered.

“Raising employee awareness and employing multifactor authentication are still two of the best defenses to address the employee risk factor,” said Kobus.

Forensic investigations on the rise. In 2018, forensic investigations were conducted in 65% of all incidents analyzed in the report. Forensics were used in 79% of network intrusions, a 14% increase from 2017. Although more companies are investing in security tools that can assist in investigating security incidents, few companies have the experience and capacity to adequately investigate without third-party help.

The average cost of the forensic investigations decreased from an average of $84,417 in 2017 to $63,001 in 2018. However, for investigations of network intrusion incidents, the average cost rose to $120,732 from $86,770 in 2017.

Entities continue to improve their detection capabilities in-house. In 2018, 74% of incidents were detected internally, a marked rise from only 52% in 2015.

Increasing scrutiny from regulators. While many U.S. entities are subject to the European Union General Data Protection Regulation (GDPR), every state in the U.S. now has its own law governing data breach notification requirements, and state attorneys general continue to increase their oversight activities and expand their enforcement regimes through new state laws or increased use of existing laws. In 2018, 34% of the incidents that required consumer notification received inquiries by state attorneys general, compared to just 16% in 2015. Other enforcement agencies are also becoming more active, particularly in the financial and insurance areas.

Companies make gains in some response metrics. A historical look at the response timeline for incidents shows that entities have made steady improvements in containment and time to complete forensics. Containment has remained in the range of six to eight days over the past five years, but the length of forensic investigations has been significantly reduced, from 47 days in 2015 to 28 days in 2018.

Despite new regulations pushing entities to notify quickly, the report shows a 67% increase in the time from discovery to notification, averaging 40 days over the past few years to 56 days in 2018.

Key findings and recommendations:

Get ahead of the compliance curve. New laws are inevitable, so try to anticipate what will be enacted, because most new laws borrow heavily from existing laws and core privacy and security principles: transparency, confidentiality, integrity, availability, fairness and data minimization.

Conduct M&A due diligence. Evaluate digital risks to assess the target’s privacy compliance and security posture before the merger or acquisition. Compromise assessments before or immediately after acquisitions of new entities help find undetected issues and support integration efforts.

Litigation persists. Class actions arising from data breaches or that allege violations of privacy laws continue, and outcomes remain inconsistent, with outliers in both court rulings and settlements. Derivative actions are becoming more popular, based on both data breaches and statutory compliance grounds. The plaintiffs’ bar continues to be creative to survive motions to dismiss, and some are coordinating efforts with regulators.

Use “compromise response intelligence.” Leverage the misfortune of others to identify emerging risks: Identify the issues affecting other companies and address them before you become a victim.

Nation-state attacks drawing more attention. Nation-state cyber operations continue to support espionage, economic development (through IP and trade secret theft) or sabotage, and collateral damage to unintended victims has been significant. It has become increasingly difficult to differentiate between the tactics, techniques and procedures used by nation-state actors and criminal actors. Good data on how often these attacks occur is hard to find, partly because they go undetected or unreported.

###

About BakerHostetler
BakerHostetler is a leading national law firm with more than 970 lawyers in 14 offices and is widely regarded as having one of the leading data privacy and cybersecurity practices. Our attorneys have managed more than 3,500 data security incidents for some of the world’s most recognized brands. Our privacy and data protection team’s work extends beyond incident response, and our team is one of the largest of its kind. In addition to privacy and data breach issues, we handle regulatory compliance, GDPR and other cross-border issues, marketing and advertising, security risk assessment, regulatory and class action defense. bakerlaw.com

Contact:

Ivette Delgado, 202.861.1766 (idelgado@bakerlaw.com) or Jacob Fischler, 202.861.1647 (jfischler@bakerlaw.com)

Related Professionals

Blog

In The Blogs

Previous Next
Data Privacy Monitor
SEC Updates Data Privacy and Cybersecurity Guidance for Registered Firms
April 22, 2019
On April 16, 2019, the Office of Compliance Inspections and Examinations (OCIE) of the Securities and Exchange Commission (SEC) issued a risk alert, “Investment Adviser and Broker-Dealer Compliance Issues Relating to Regulation S-P –...
Read More ->
Data Privacy Monitor
Deeper Dive: Choose the Right Forensics Firm for the Job
By William R. Daugherty, Eric A. Packel
April 17, 2019
Forensics are a key component of many data incident investigations. The importance of forensics cannot be overstated. In fact, in 2018, 65% of the incidents we handled involved some type of forensic investigation. Forensics firms can not...
Read More ->
Data Privacy Monitor
In BIPA's Wake, a Wave of New Biometric Privacy Proposals
By Robyn M. Feldstein, Melinda L. McLellan
April 15, 2019
Over the past year, a host of new national, state and local laws have been introduced to regulate the collection and use of biometric information. Although these proposals vary in their requirements, certain elements appear to be inspired...
Read More ->
Data Privacy Monitor
Deeper Dive: The Scourge of O365 Incidents
April 11, 2019
A Growing Menace 2018 saw a continuation of companies moving toward cloud-based email systems. Phishing incidents targeting those systems followed suit. Fully one-third of incidents addressed by our incident response team in 2018 involved...
Read More ->
Data Privacy Monitor
Bill to Expand CCPA Private Right of Action Moves Forward
April 11, 2019
We have previously written about California SB 561 here, introduced by Senator Jackson (D) and supported by the California Attorney General (AG), that among other things would vastly expand the CCPA’s private right of action and remove the...
Read More ->