BakerHostetler's 5th Annual Data Security Incident Response Report Highlights Collision of Privacy, Cybersecurity and Compliance; Details Efforts to Minimize Risk

Findings and analysis from 750 data breaches and cyberattacks handled in 2018

Press Releases / April 4, 2019

NEW YORK – April 4, 2019 – BakerHostetler’s privacy and data protection team released its 2019 Data Security Incident Response Report, which leverages the metrics and insights drawn from 750 potential incidents in 2018 to help entities identify and prioritize the measures necessary to address their digital risk posture.

“Privacy laws around the globe are shifting the way companies prepare for and manage data breaches. Our report highlights the collision of data security, privacy and compliance, and provides guidance on how companies can take action on key response items,” said Theodore J. Kobus III, leader of BakerHostetler’s privacy and data protection team.

Now in its fifth consecutive year as the only report of its kind produced by a law firm, the report includes metrics related to key incident response areas of concern for entities of all sizes and across all industries.

Trends in incident cause and response metrics:

Phishing remains the leading cause of incidents tracked by the report, and roughly one-quarter of all incidents BakerHostetler responded to in the past year were caused by lost devices, inadvertent disclosures or system misconfigurations. Across the 750 incidents analyzed, 55% had employees involved as the responsible party, through a mix of simple mistakes, to falling for phishing or being socially engineered.

“Raising employee awareness and employing multifactor authentication are still two of the best defenses to address the employee risk factor,” said Kobus.

Forensic investigations on the rise. In 2018, forensic investigations were conducted in 65% of all incidents analyzed in the report. Forensics were used in 79% of network intrusions, a 14% increase from 2017. Although more companies are investing in security tools that can assist in investigating security incidents, few companies have the experience and capacity to adequately investigate without third-party help.

The average cost of the forensic investigations decreased from an average of $84,417 in 2017 to $63,001 in 2018. However, for investigations of network intrusion incidents, the average cost rose to $120,732 from $86,770 in 2017.

Entities continue to improve their detection capabilities in-house. In 2018, 74% of incidents were detected internally, a marked rise from only 52% in 2015.

Increasing scrutiny from regulators. While many U.S. entities are subject to the European Union General Data Protection Regulation (GDPR), every state in the U.S. now has its own law governing data breach notification requirements, and state attorneys general continue to increase their oversight activities and expand their enforcement regimes through new state laws or increased use of existing laws. In 2018, 34% of the incidents that required consumer notification received inquiries by state attorneys general, compared to just 16% in 2015. Other enforcement agencies are also becoming more active, particularly in the financial and insurance areas.

Companies make gains in some response metrics. A historical look at the response timeline for incidents shows that entities have made steady improvements in containment and time to complete forensics. Containment has remained in the range of six to eight days over the past five years, but the length of forensic investigations has been significantly reduced, from 47 days in 2015 to 28 days in 2018.

Despite new regulations pushing entities to notify quickly, the report shows a 67% increase in the time from discovery to notification, averaging 40 days over the past few years to 56 days in 2018.

Key findings and recommendations:

Get ahead of the compliance curve. New laws are inevitable, so try to anticipate what will be enacted, because most new laws borrow heavily from existing laws and core privacy and security principles: transparency, confidentiality, integrity, availability, fairness and data minimization.

Conduct M&A due diligence. Evaluate digital risks to assess the target’s privacy compliance and security posture before the merger or acquisition. Compromise assessments before or immediately after acquisitions of new entities help find undetected issues and support integration efforts.

Litigation persists. Class actions arising from data breaches or that allege violations of privacy laws continue, and outcomes remain inconsistent, with outliers in both court rulings and settlements. Derivative actions are becoming more popular, based on both data breaches and statutory compliance grounds. The plaintiffs’ bar continues to be creative to survive motions to dismiss, and some are coordinating efforts with regulators.

Use “compromise response intelligence.” Leverage the misfortune of others to identify emerging risks: Identify the issues affecting other companies and address them before you become a victim.

Nation-state attacks drawing more attention. Nation-state cyber operations continue to support espionage, economic development (through IP and trade secret theft) or sabotage, and collateral damage to unintended victims has been significant. It has become increasingly difficult to differentiate between the tactics, techniques and procedures used by nation-state actors and criminal actors. Good data on how often these attacks occur is hard to find, partly because they go undetected or unreported.

###

About BakerHostetler
BakerHostetler is a leading national law firm with more than 970 lawyers in 14 offices and is widely regarded as having one of the leading data privacy and cybersecurity practices. Our attorneys have managed more than 3,500 data security incidents for some of the world’s most recognized brands. Our privacy and data protection team’s work extends beyond incident response, and our team is one of the largest of its kind. In addition to privacy and data breach issues, we handle regulatory compliance, GDPR and other cross-border issues, marketing and advertising, security risk assessment, regulatory and class action defense. bakerlaw.com

Contact:

Ivette Delgado, 202.861.1766 (idelgado@bakerlaw.com) or Jacob Fischler, 202.861.1647 (jfischler@bakerlaw.com)

Related Professionals

Blog

In The Blogs

Previous Next
Data Privacy Monitor
COVID-19 Cybersecurity Exposure
By Andreas T. Kaltsounis
March 18, 2020
Risk scenarios and recommendations History tells us that unscrupulous actors will exploit any crisis, and COVID-19 is no exception. Attackers wasted no time building coronavirus-themed phishing emails and malware-laden websites purporting...
Read More ->
Data Privacy Monitor
HHS Issues Two Important Bulletins Waiving HIPAA Sanctions During the COVID-19 National Emergency
By Vimala Devassy
March 18, 2020
The HHS Office for Civil Rights (OCR) issued two important bulletins this week regarding the novel coronavirus disease (COVID-19) outbreak. On Mar. 16, OCR issued a limited waiver of HIPAA sanctions and penalties for noncompliance with...
Read More ->
Data Privacy Monitor
Additional 6-Month CCPA Extension Sought in Wake of COVID-19
By Taylor A. Bloom, Gerald J. Ferguson, Alan L. Friel
March 18, 2020
Today we filed a request to the California Attorney General, as part of the CCPA rulemaking process, seeking an additional six month delay in the enforcement of the CCPA to allow our clients time to better focus on business continuity and...
Read More ->
Data Privacy Monitor
FERPA Disclosures in Response to COVID-19
By Lynn Sessions, Benjamin P. Wells
March 16, 2020
The United States Department of Education (ED) Student Privacy Policy Office (SPPO), on March 13, 2020, issued Frequently Asked Questions related to the serious novel coronavirus disease (COVID-19) that the world is now grappling with...
Read More ->
Data Privacy Monitor
CCPA Class Actions: Can They Include a Blast From the Past?
By Casie D. Collignon
March 13, 2020
Our Digital Assets and Data Management teams have been tracking all aspects of the CCPA, so when Fuentes v. Sunshine Behavioral Health Group, LLC (Case No. 8:20-cv-00487, Central District of California) was filed on March 10, 2020...
Read More ->