BakerHostetler's 5th Annual Data Security Incident Response Report Highlights Collision of Privacy, Cybersecurity and Compliance; Details Efforts to Minimize Risk

Findings and analysis from 750 data breaches and cyberattacks handled in 2018

Press Releases / April 4, 2019

NEW YORK – April 4, 2019 – BakerHostetler’s privacy and data protection team released its 2019 Data Security Incident Response Report, which leverages the metrics and insights drawn from 750 potential incidents in 2018 to help entities identify and prioritize the measures necessary to address their digital risk posture.

“Privacy laws around the globe are shifting the way companies prepare for and manage data breaches. Our report highlights the collision of data security, privacy and compliance, and provides guidance on how companies can take action on key response items,” said Theodore J. Kobus III, leader of BakerHostetler’s privacy and data protection team.

Now in its fifth consecutive year as the only report of its kind produced by a law firm, the report includes metrics related to key incident response areas of concern for entities of all sizes and across all industries.

Trends in incident cause and response metrics:

Phishing remains the leading cause of incidents tracked by the report, and roughly one-quarter of all incidents BakerHostetler responded to in the past year were caused by lost devices, inadvertent disclosures or system misconfigurations. Across the 750 incidents analyzed, 55% had employees involved as the responsible party, through a mix of simple mistakes, to falling for phishing or being socially engineered.

“Raising employee awareness and employing multifactor authentication are still two of the best defenses to address the employee risk factor,” said Kobus.

Forensic investigations on the rise. In 2018, forensic investigations were conducted in 65% of all incidents analyzed in the report. Forensics were used in 79% of network intrusions, a 14% increase from 2017. Although more companies are investing in security tools that can assist in investigating security incidents, few companies have the experience and capacity to adequately investigate without third-party help.

The average cost of the forensic investigations decreased from an average of $84,417 in 2017 to $63,001 in 2018. However, for investigations of network intrusion incidents, the average cost rose to $120,732 from $86,770 in 2017.

Entities continue to improve their detection capabilities in-house. In 2018, 74% of incidents were detected internally, a marked rise from only 52% in 2015.

Increasing scrutiny from regulators. While many U.S. entities are subject to the European Union General Data Protection Regulation (GDPR), every state in the U.S. now has its own law governing data breach notification requirements, and state attorneys general continue to increase their oversight activities and expand their enforcement regimes through new state laws or increased use of existing laws. In 2018, 34% of the incidents that required consumer notification received inquiries by state attorneys general, compared to just 16% in 2015. Other enforcement agencies are also becoming more active, particularly in the financial and insurance areas.

Companies make gains in some response metrics. A historical look at the response timeline for incidents shows that entities have made steady improvements in containment and time to complete forensics. Containment has remained in the range of six to eight days over the past five years, but the length of forensic investigations has been significantly reduced, from 47 days in 2015 to 28 days in 2018.

Despite new regulations pushing entities to notify quickly, the report shows a 67% increase in the time from discovery to notification, averaging 40 days over the past few years to 56 days in 2018.

Key findings and recommendations:

Get ahead of the compliance curve. New laws are inevitable, so try to anticipate what will be enacted, because most new laws borrow heavily from existing laws and core privacy and security principles: transparency, confidentiality, integrity, availability, fairness and data minimization.

Conduct M&A due diligence. Evaluate digital risks to assess the target’s privacy compliance and security posture before the merger or acquisition. Compromise assessments before or immediately after acquisitions of new entities help find undetected issues and support integration efforts.

Litigation persists. Class actions arising from data breaches or that allege violations of privacy laws continue, and outcomes remain inconsistent, with outliers in both court rulings and settlements. Derivative actions are becoming more popular, based on both data breaches and statutory compliance grounds. The plaintiffs’ bar continues to be creative to survive motions to dismiss, and some are coordinating efforts with regulators.

Use “compromise response intelligence.” Leverage the misfortune of others to identify emerging risks: Identify the issues affecting other companies and address them before you become a victim.

Nation-state attacks drawing more attention. Nation-state cyber operations continue to support espionage, economic development (through IP and trade secret theft) or sabotage, and collateral damage to unintended victims has been significant. It has become increasingly difficult to differentiate between the tactics, techniques and procedures used by nation-state actors and criminal actors. Good data on how often these attacks occur is hard to find, partly because they go undetected or unreported.

###

About BakerHostetler
BakerHostetler is a leading national law firm with more than 970 lawyers in 14 offices and is widely regarded as having one of the leading data privacy and cybersecurity practices. Our attorneys have managed more than 3,500 data security incidents for some of the world’s most recognized brands. Our privacy and data protection team’s work extends beyond incident response, and our team is one of the largest of its kind. In addition to privacy and data breach issues, we handle regulatory compliance, GDPR and other cross-border issues, marketing and advertising, security risk assessment, regulatory and class action defense. bakerlaw.com

Contact:

Ivette Delgado, 202.861.1766 (idelgado@bakerlaw.com) or Jacob Fischler, 202.861.1647 (jfischler@bakerlaw.com)

Related Professionals

Blog

In The Blogs

Previous Next
Data Privacy Monitor
CCPA Amendments Signed into Law by California Governor
By Kyle R. Fath
October 14, 2019
On Friday, October 11, 2019, California’s governor signed into law each of the six CCPA amendment bills passed by the legislature, bringing some finality and clarity to the scope of the CCPA (at least with respect to details which will not...
Read More ->
Data Privacy Monitor
CCPA Regs: "This is the meat on the bones…."
By Alan L. Friel
October 10, 2019
“Data is today’s gold. Everyone is rushing to mine data. Here in California, we are not unfamiliar with gold rushes… [in fact,][w]e are better than Captain Kirk and the Enterprise. We are going [with the CCPA regulations] to where no one...
Read More ->
Data Privacy Monitor
California Bill SB-208 Tackles Pervasive Robocalls
By Kamran Salour
September 27, 2019
On Sept. 11, 2019, the California State Senate approved the Consumer Call Protection Act of 2019, SB-208. The measure seeks to protect consumers from fraudulent robocalls and enact into law provisions that, despite strong support from...
Read More ->
Data Privacy Monitor
If Signed by Governor, California Bill AB-602 Will Provide Private Right of Action for Victims of Sexually Explicit ‘Deepfakes'
By Kamran Salour
September 26, 2019
AB-602, passed by the California State Senate on September 12, 2019, will, if approved by the governor, create a private right of action against persons who create or disclose another’s sexually explicit content through use of “deepfake”...
Read More ->
Data Privacy Monitor
AB-1790 Seeks to Add Transparency to the Marketplace/Marketplace Seller Relationship
By Kamran Salour
September 25, 2019
Seeking to increase transparency and, consequently, fairness in the marketplace/marketplace seller commercial relationship, the California State Senate approved AB-1790 Marketplaces: marketplace seller on Sept. 12, 2019. AB-1790 aims to...
Read More ->