BakerHostetler's 5th Annual Data Security Incident Response Report Highlights Collision of Privacy, Cybersecurity and Compliance; Details Efforts to Minimize Risk

Findings and analysis from 750 data breaches and cyberattacks handled in 2018

Press Releases / April 4, 2019

NEW YORK – April 4, 2019 – BakerHostetler’s privacy and data protection team released its 2019 Data Security Incident Response Report, which leverages the metrics and insights drawn from 750 potential incidents in 2018 to help entities identify and prioritize the measures necessary to address their digital risk posture.

“Privacy laws around the globe are shifting the way companies prepare for and manage data breaches. Our report highlights the collision of data security, privacy and compliance, and provides guidance on how companies can take action on key response items,” said Theodore J. Kobus III, leader of BakerHostetler’s privacy and data protection team.

Now in its fifth consecutive year as the only report of its kind produced by a law firm, the report includes metrics related to key incident response areas of concern for entities of all sizes and across all industries.

Trends in incident cause and response metrics:

Phishing remains the leading cause of incidents tracked by the report, and roughly one-quarter of all incidents BakerHostetler responded to in the past year were caused by lost devices, inadvertent disclosures or system misconfigurations. Across the 750 incidents analyzed, 55% had employees involved as the responsible party, through a mix of simple mistakes, to falling for phishing or being socially engineered.

“Raising employee awareness and employing multifactor authentication are still two of the best defenses to address the employee risk factor,” said Kobus.

Forensic investigations on the rise. In 2018, forensic investigations were conducted in 65% of all incidents analyzed in the report. Forensics were used in 79% of network intrusions, a 14% increase from 2017. Although more companies are investing in security tools that can assist in investigating security incidents, few companies have the experience and capacity to adequately investigate without third-party help.

The average cost of the forensic investigations decreased from an average of $84,417 in 2017 to $63,001 in 2018. However, for investigations of network intrusion incidents, the average cost rose to $120,732 from $86,770 in 2017.

Entities continue to improve their detection capabilities in-house. In 2018, 74% of incidents were detected internally, a marked rise from only 52% in 2015.

Increasing scrutiny from regulators. While many U.S. entities are subject to the European Union General Data Protection Regulation (GDPR), every state in the U.S. now has its own law governing data breach notification requirements, and state attorneys general continue to increase their oversight activities and expand their enforcement regimes through new state laws or increased use of existing laws. In 2018, 34% of the incidents that required consumer notification received inquiries by state attorneys general, compared to just 16% in 2015. Other enforcement agencies are also becoming more active, particularly in the financial and insurance areas.

Companies make gains in some response metrics. A historical look at the response timeline for incidents shows that entities have made steady improvements in containment and time to complete forensics. Containment has remained in the range of six to eight days over the past five years, but the length of forensic investigations has been significantly reduced, from 47 days in 2015 to 28 days in 2018.

Despite new regulations pushing entities to notify quickly, the report shows a 67% increase in the time from discovery to notification, averaging 40 days over the past few years to 56 days in 2018.

Key findings and recommendations:

Get ahead of the compliance curve. New laws are inevitable, so try to anticipate what will be enacted, because most new laws borrow heavily from existing laws and core privacy and security principles: transparency, confidentiality, integrity, availability, fairness and data minimization.

Conduct M&A due diligence. Evaluate digital risks to assess the target’s privacy compliance and security posture before the merger or acquisition. Compromise assessments before or immediately after acquisitions of new entities help find undetected issues and support integration efforts.

Litigation persists. Class actions arising from data breaches or that allege violations of privacy laws continue, and outcomes remain inconsistent, with outliers in both court rulings and settlements. Derivative actions are becoming more popular, based on both data breaches and statutory compliance grounds. The plaintiffs’ bar continues to be creative to survive motions to dismiss, and some are coordinating efforts with regulators.

Use “compromise response intelligence.” Leverage the misfortune of others to identify emerging risks: Identify the issues affecting other companies and address them before you become a victim.

Nation-state attacks drawing more attention. Nation-state cyber operations continue to support espionage, economic development (through IP and trade secret theft) or sabotage, and collateral damage to unintended victims has been significant. It has become increasingly difficult to differentiate between the tactics, techniques and procedures used by nation-state actors and criminal actors. Good data on how often these attacks occur is hard to find, partly because they go undetected or unreported.

###

About BakerHostetler
BakerHostetler is a leading national law firm with more than 970 lawyers in 14 offices and is widely regarded as having one of the leading data privacy and cybersecurity practices. Our attorneys have managed more than 3,500 data security incidents for some of the world’s most recognized brands. Our privacy and data protection team’s work extends beyond incident response, and our team is one of the largest of its kind. In addition to privacy and data breach issues, we handle regulatory compliance, GDPR and other cross-border issues, marketing and advertising, security risk assessment, regulatory and class action defense. bakerlaw.com

Contact:

Ivette Delgado, 202.861.1766 (idelgado@bakerlaw.com) or Jacob Fischler, 202.861.1647 (jfischler@bakerlaw.com)

Related Professionals

Blog

In The Blogs

Previous Next
Data Privacy Monitor
BakerHostetler Comments on Draft CCPA Regulations
By Taylor A. Bloom, Kyle R. Fath
December 9, 2019
The California attorney general (the AG) has concluded the first round of public comments on the proposed regulations that would serve to interpret and implement California’s sweeping new privacy law, the California Consumer Privacy Act...
Read More ->
Data Privacy Monitor
Record-Keeping and Training Requirements in the Proposed Regulations for the CCPA
By James A. Sherer, Nichole L. Sterling
November 26, 2019
The California Consumer Privacy Act (CCPA), California Civil Code §1798.100 and following, does not in itself outline specific training and record-keeping requirements that demonstrate business compliance with consumer requests. However...
Read More ->
Data Privacy Monitor
Refine CCPA Compliance Plan with the Regulations in Mind
November 18, 2019
We previously announced the publication of the first set of proposed regulations that will implement the California Consumer Privacy Act (CCPA), which goes into effect January 1, 2020. Partner Alan Friel has authored an article published...
Read More ->
Data Privacy Monitor
Children's Privacy Law Updates: Tricks or Treats?
By Carolina A. Alonso
October 31, 2019
It’s finally here! Halloween, the day every kid dreams of for months. It’s a scary time in the world of children’s privacy law – what with the California Consumer Privacy Act (CCPA) lurking around the corner and the specter of FTC...
Read More ->
Data Privacy Monitor
IAB Releases Draft CCPA Compliance Framework for Digital Advertising Industry
By Kyle R. Fath
October 25, 2019
The Interactive Advertising Bureau (IAB) publicly released its draft CCPA Compliance Framework for Publishers and Technology Companies (“Framework”) on Oct. 22, 2019. As we reported here, the Framework is being developed by the IAB and the...
Read More ->