Poor security, employee mistakes or malfeasance, failing technologies and savvy hackers are commonplace in today’s society and a perfect storm for data breaches. Businesses must ensure that they have the appropriate policies and procedures in place to combat these threats.1
What is a data breach?
The most common description of a data breach is the unauthorized use or disclosure of unredacted or unencrypted personal information (data) that is likely to cause a substantial risk of (reputational, financial) harm to that particular individual or group of individuals.2
Major Causes of Data Breaches
Studies show that the biggest cybersecurity risk to U.S. businesses is employee negligence.3 More than 40 percent of data breaches are caused by employee negligence.4 Employees may volunteer confidential information to an attacker during phishing,5 whaling6 or vishing attacks.7 They may also download unauthorized software and malware that may result in viruses8 or worms,9 which allow an attacker to gain access to a private network and its devices. This is why employee security training during the onboarding process and on a periodic basis (at least once a year) should be a requirement of continued employment.
Data breaches are also caused by lack of security controls and faulty technologies.10 Having a good change management program to test technologies before they go live can prevent faulty and unsecure technologies from being implemented. Patch management is equally important; installing patches to technologies can often fix vulnerabilities, circumvent hacker access and prevent data leakage.11 In addition, change management procedures provide a process by which all system changes made by employees are tracked, audited, controlled, identified and approved.12
Moreover, it is important that systems and controls are reviewed during the merger and acquisition process, as failure to do so can result in data breaches.
Furthermore, vendor oversight is equally important. Contracting services with a vendor who lacks controls and is noncompliant with regulatory requirements is almost always a spell for disaster and the cause of major data breaches.13
Regulatory Requirements: Data Breach Notification Statutes
The majority of countries around the world require businesses to report data breaches as part of regulatory requirements.14
Policies and procedures are an equally important part of information security management
In May 2018, the General Data Protection Regulation (GDPR) came into effect.15 The GDPR regulates the use and disclosure of the personal data16 of the European Union17 and the European Economic Area18 residents. Under GDPR, controllers are required to report data breaches to the appropriate supervisory authorities within 72 hours of discovery.19 Fines under the GDPR can range from 10 million euros or 2 percent of global revenue to as high as 20 million euros or 4 percent of global revenue.20
Currently, all U.S. states have data breach notification statutes. The last two states to enact data breach statutes were Alabama21 and South Dakota22 in 2018. This means that businesses who suffer breaches that affect U.S. consumers will not only have to comply with applicable federal laws (such as Health Information Portability Accountability Act [HIPAA]23 and Gramm-Leach-Bliley Act24) but they will also have to comply with applicable state breach notification statutes. HIPAA requires the reporting of breaches that affect more than 500 persons within a reasonable time of discovery.25 A number of state breach notification statutes are vague in their reporting requirements.26
In late 2018, the attorney general of North Carolina discussed proposed amendments to the state breach notification statute to go from a vague notification period to a 15-day reporting period after discovery.27 In 2018, New York enacted a cybersecurity law28 that specifically applies to businesses that are regulated by the New York Department of Financial Services. The New York law goes into effect in 2020 and requires businesses covered under the statute to report breaches within 72 hours of discovery.29 Washington state’s data breach notification law was recently amended to expand the definition of personally identified information to include personal health information and biometric data. Washington’s reporting requirement time frame is one the longest at 45 days after recovery.30 These are just a handful of states currently amending data breach laws and/or enacting additional security or privacy statutes.
Data Breach Prevention Tactics
There are several steps that businesses can take to prevent data breaches. These include, but are not limited to, implementing vendor management, privacy information security procedures and a tested incident management plan.
There are a number of regulations that require businesses to have a vendor management program (e.g., GDPR,31 HIPAA,32 Sarbanes-Oxley Act,33 Bank Secrecy Act34). In addition, there are many reasons to manage vendor relationships including vendor compliance, appropriate measurement of the risk that third-party vendors pose to a business’ information security standards, and vendor certification that can meet the responsibilities and confidentiality requirements set forth in the contract.35
Policies and procedures are an equally important part of information security management. A good information security program reduces the risks of a cyberattack and greatly increases timely and effective detection and response if an attack occurs.36 Information security programs should be communicated in a manner that allows employees to be aware of the procedures and enables them to understand the policies. Good information security policies should establish the following three major requirements:
- Confidentiality: Information stored that aligns with the individual’s right to privacy and as otherwise stated by contract or notice.
- Integrity: Information and programs are updated to remain accurate.
- Availability: Authorized users have access to information and resources.37
As previously stated, employees cause approximately 40 percent of data breaches, both unintentionally or intentionally.38 One of the best strategies a business could implement to prevent this particular source of a data breach is to educate uninformed users. Employee training programs should target current and new employees, contractors and occasionally vendors. Businesses should use multiple delivery methods for training (e.g., live, web-based, tabletop exercises). Training should be appropriate to the individual’s role and access level.39 Spam filtering technology can sometimes prevent phishing, but that is often not enough. Training employees on the dangers of clicking suspicious links and downloading attachments from unknown senders is just as important.40
Encryption is a defense in virtually all cases involving unauthorized access or data breaches, with the exception of a minority of jurisdictions41 (e.g., California42). Encryption is defined as the process of converting plain text into ciphertext by using a mathematical algorithm. A key is required to reverse the process and revert the data back to plain text.43 Encryption can be used to protect data in transit over computer networks or data at rest on USBs, hard drives, USB drives, phones and storage devices. If an encrypted drive has an unauthorized user or is stolen, the encrypted data is essentially useless and unavailable to the unauthorized user because that user cannot convert the data back into plaintext without the cryptographic key.44
In light of giving users unrestricted permissions to sensitive systems, businesses can implement role-based access (RBAC) in order to segregate employee duties, provide an audit trail of the employee’s access activity and grant only the amount of access to users that they need to perform their jobs. Restricting the amount of data a user can access places limits on the amount of data leakage that user can cause.45
In addition to RBAC, authentication is a good security practice to prevent cyberattacks. Authentication of identity is the practice of ensuring that the user of a record is, in fact, the authorized or intended recipient or sender. Authentication is the process by which an institution establishes the appropriate level of confidence in the identity of the person or entity requesting access to the records. Authentication is established through the use of a variety of vetting methodologies, also known as “authentication factors.” When a user successfully completes authentication factors, there is a level of confidence to ensure that the user who has access is the person or entity it claims to be.46
Intrusion detection systems are another good security mechanism. Intrusion detection is the process of analyzing and monitoring events in a computer system or network for signs of possible incidents. An intrusion detection system is an automated software that performs the intrusion detection process. An intrusion prevention system is a detection system software that is also capable of preventing incidents.47
Another security tool is implementing firewalls. Firewalls are comprised of a set of related programs that prevent intruders from accessing data on a private network. To be effective, firewalls must be properly installed. Firewalls prevent external devices from initiating a communication session with a running workstation. The firewall and application software running on the workstation prevents unexpected outbound connections to external devices.48 Employees who work remotely should use a virtual public network (VPN).49 A VPN is a secure private network that uses public telecommunications infrastructure to transmit data. A VPN uses authentication as well as end-to-end encryption50 in order to maintain privacy and security.51
Lastly, incident management plans are another important defense to a cyberattack. When a business is alerted to a breach how they handle, stop and/or mitigate an incident will play a big role in the amount of penalties, fines and reputational damage that the business will suffer. As a rule of thumb, businesses should test and/or receive an independent evaluation of their incident management plans.52 Developing an incident management plan includes the following steps:53
- Identifying a team who can properly respond to an incident, secure the perimeter (network and physical locations) and prevent further leakage.
- Identifying a forensics team (internal or external) who can establish the source of the incident and preserve evidence.
- Identifying a counsel to evaluate the legal, privacy and security ramifications, as well as reporting requirements.
- Identifying a public relations team to disseminate information regarding the incident.
Although these methods are not surefire ways to prevent and manage incidents, they are generally good practices according to national and international standards.54
Recent Large Breaches: Case Studies
As a rule of thumb, businesses should test and/or receive an independent evaluation of their incident management plans
A terminated Chicago Public School (CPS) employee copied and then deleted a database with sensitive information. The stolen information contained the information of CPS employees, volunteers and others.55 In 2007, a Certegy Check Services Inc. employee sold the personal information of an estimated 2.2 million individuals to an unidentified data broker. The broker then sold the information to several direct marketing companies.56 These types of attacks stress the importance of RBAC, audit trails and a proper offboarding process that includes the termination of employee access.
In 2016, Snapchat suffered a data breach that resulted from a whaling attack. The attacker deceived an employee and pretended to be Snapchat chief executive Evan Spiegel, gaining access to payroll records of an estimated 700 current and former employers.57 The Snapchat breach displays how lack of user/employee awareness and training can impact a business.
Equifax’s 2017 data breach was caused by an application vulnerability on one of their websites. This breach exposed the personal information (Social Security numbers, birthdates, addresses, and in some cases, drivers’ license numbers) of over 147.9 million consumers.58 Equifax was previously sued for a lapse in security over an incident in 2016, where Equifax’s website suffered an attack that resulted in the leak of 430,000 individuals’ personal information (names, Social Security numbers, etc.).59 Between April 2013 and January 2014, Equifax suffered yet another breach where an attacker was able to obtain credit reports using sufficient personal information to meet Equifax’s authentication verification process.60 It is clear that Equifax security systems were failing for a number of years and the company did not correct the issue for over four years.
In late 2018, Marriott discovered that their subsidiary Starwood Properties suffered a data breach stemming from a reservation system that started in 2014. The attacker gained access to emails, names, addresses, passport numbers and possibly payment card information of an estimated 500 million individuals. Although Marriott has cyberinsurance, the stock was down 5 percent following the breach. The Marriott cyberbreach solidifies the need for merger due diligence.61
In 2013, Target discovered that attackers managed to breach their payment system by first obtaining access to the “data connection” between Target and Target’s heating and ventilation systems vendor.62 Target profits fell by 46 percent in 2014.63 In 2018, Target paid an $18 million nationwide settlement related to the 2013 breach.64 The Target breach teaches the importance of vendor due diligence.
For many businesses, a data breach can mean regulatory fines and sanctions, reputational harm and additional liability to consumers. It is imperative that businesses have the appropriate policies and procedures to prevent technology failures, combat the efforts of cybercriminals, perform vendor due diligence and enforce employee onboarding and awareness training. The risk of avoiding any of these factors is far more expensive than the cost to implement the appropriate controls to prevent them.65
- “Creating a cyber security policy for your business,” business.gov. au, July 27, 2018, https://www.business.gov.au/risk-management/ cyber-security/creating-a-cyber-security-policy-for-your-business
- “State Data Breach Notification Laws,” Foley & Lardner LLP, January 28, 2019, https://www.foley.com/en/insights/publications/2019/01/ state-data-breach-notification-laws
- Carmen Reinicke, “The biggest cybersecurity risk to US businesses is employee negligence, study says,” CNBC, June 21, 2018, https://www.cnbc.com/2018/06/21/the-biggest-cybersecurity-risk-to-us-businesses-is-employee-negligence-study-says.html
- Mark Kaelin, “More than 40% of reported security breaches are caused by employee negligence,” TechRepublic, July 23, 2018, https://www.techrepublic.com/article/over-40-of-reported-security-breaches-are-caused-by-employee-negligence/
- “Definition: Phishing,” ISACA, https://www.isaca.org/Pages/Glossary.aspx?tid=1682&char=P
- “Whale Phishing,” Trend Micro, https://www.trendmicro.com/vinfo/us/security/definition/whale-phishing
- “Vishing,” Techopedia, https://www.techopedia.com/definition/4159/vishing
- “Definition: Virus,” ISACA, https://www.isaca.org/Pages/Glossary.aspx?tid=1971&char=V
- “Definition: Worm,” ISACA, https://www.isaca.org/Pages/Glossary.aspx?tid=1997&char=W
- “Common Cyber Attacks: Reducing the Impact,” National Technical Authority for Information Assurance, p. 3, https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/400106/Common_Cyber_Attacks-Reducing_The_Impact.pdf
- Ed Tittle et. al, CISSP(r) Certified Information Systems Security Professional Study Guide, 2nd Edition, 2004, p. 41.
- “Best Practices in Cyber Supply Chain Risk Management,” National Institute of Standards and Technology, https://csrc.nist.gov/CSRC/media/Projects/Supply-Chain-Risk-Management/documents/briefings/Workshop-Brief-on-Cyber-Supply-Chain-Best-Practices.pdf; “OCIE’s 2015 Cybersecurity Examination Initiative,” Office of Compliance Inspections and Examinations, September 15, 2015, https://www.sec.gov/files/ocie-2015-cybersecurity-examination-initiative.pdf
- “Security Breach Notification Laws,” National Conference of State Legislatures, September 29, 2018, http://www.ncsl.org/research/ telecommunications-and-information-technology/security-breachnotification-laws.aspx
- “2018 reform of EU data protection rules,” European Commission, https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en
- “Art. 4 GDPR Definitions,” intersoft consulting, https://gdpr-info.eu/art-4-gdpr/
- “The 28 member countries of the EU,” European Union, https://europa.eu/european-union/about-eu/countries_en
- “The GDPR: new opportunities, new obligations,” European Commission, https://ec.europa.eu/commission/sites/beta-political/files/data-protection-factsheet-sme-obligations_en.pdf
- “Art. 33 GDPR Notification of a personal data breach to the supervisory authority,” intersoft consulting, https://gdpr-info.eu/art-33-gdpr/
- “Art. 85 GDPR Processing and freedom of expression and information,” intersoft consulting, https://gdpr-info.eu/art-85-gdpr/
- “SB 318,” 2018, http://arc-sos.state.al.us/PAC/SOSACPDF.001/A0012674.PDF
- “SB 62,” South Dakota Legislature, 2018,http://sdlegislature.gov/docs/legsession/2018/Bills/SB62ENR.pdf
- “Breach Notification Rule,” U.S. Department of Health & Human Services, https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
- Gina Stevens, “Federal Information Security and Data Breach Notification Laws,” Congressional Research Service, https://fas.org/sgp/crs/secrecy/RL34120.pdf
- “Breach Notification Rule,” U.S. Department of Health & Human Services, https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
- “State Data Breach Notification Laws,” Foley & Lardner LLP, January 28, 2019, https://www.foley.com/en/insights/publications/2019/01/state-data-breach-notification-laws. More than half of the states require notification to individuals and or regulators “without unreasonable delay after discovery” including Alabama, Alaska, Arkansas, California, Connecticut, Washington, D.C., etc
- Victorianne Musonza, “Changes on the horizon for North Carolina’s data breach notification law,” International Association of Privacy Professionals, January 24, 2017, https://iapp.org/news/a/changes-on-the-horizon-for-north-carolinas-data-breach-notification-law/
- “Cybersecurity Requirements for Financial Services Companies,” New York State Department of Financial Services, https://www.dfs.ny.gov/docs/legal/regulations/adoptions/dfsrf500txt.pdf
- Ibid. Section 500.17.
- “Certification of Enrollment Substitute House Bill 1071,” 2019, http://lawfilesext.leg.wa.gov/biennium/2019-20/Pdf/Bills/House%20Passed%20Legislature/1071-S.PL.pdf
- “Art. 28, Processor” Intersoft consulting, https://gdpr-info.eu/art-28- gdpr/; “Art. 32 Security of processing,” intersoft consulting, https://gdpr-info.eu/art-32-gdpr/
- “Business Associates”, U.S. Department of Health & Human Services, https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html
- “Public Law 107-204,” Library of Congress, July 30, 2002, https://www.congress.gov/107/plaws/publ204/PLAW-107publ204.pdf
- “BSA/AML Risk Assessment—Overview,” Federal Financial Institutions Examination Council, https://www.ffiec.gov/bsa_aml_infobase/pages_manual/olm_005.htm
- Agostino Carrideo, Vendor Management: An insider’s strategies to win and create long lasting change, 2015, p. 81.
- “Information Security Standards and Practices Guide,” UNT System, https://itss.untsystem.edu/sites/default/files/Information%20Security%20Standards%20and%20Practices.pdf
- “Grand Theft Data,” McAfee, https://www.mcafee.com/enterprise/en-us/assets/reports/rp-data-exfiltration.pdf
- “Student Privacy 101,” U.S. Department of Education, https://nces.ed.gov/programs/ptac/pdf/issue-brief-security-training.pdf
- “Phishing,” Federal Trade Commission, https://www.consumer.ftc.gov/articles/0003-phishing
- “State Data Breach Notification Laws,” Foley & Lardner LLP, January 28, 2019, https://www.foley.com/en/insights/publications/2019/01/state-data-breach-notification-laws; “Art. 5 GDPR Principles relating to processing of personal data,” intersoft consulting, https://gdpr-info.eu/art-5-gdpr/” target=”_blank” rel=”nofollow noopener noreferrer”>https://gdpr-info.eu/art-5-gdpr/; “Recital 83 Security of processing*” intersoft consulting, https://gdpr-info.eu/recitals/no-83/
- “HEALTH AND SAFETY CODE §1280.15. Unlawful or unauthorized access and use or disclosure of patients’ medical information; Investigation; Report, Cal Health & Saf Code § 1280.15” Lexis Advance, https://advance.lexis.com/open/document/lpadocument/?pdmfid=1000522&crid=dXJuOmNvbnRlbnRJdGVtOjVKNlItR1JLMS02NkI5LTgwQzgtMDAwMDAtMDA&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A5J6R-GRK1-66B9-80C8-00000-00&pdcomponentid=4867
- “Definition: Encryption,” ISACA, https://www.isaca.org/Pages/Glossary.aspx?tid=1376&char=E
- Kevin Stine and Quynh Dang, “Encryption Basics,” Journal of American Health Information Management Association, 2016, https://ws680.nist.gov/publication/get_pdf.cfm?pub_id=908084
- Robert Lyon, Nick Schonning and Wesley David, “What is rolebased access control (RBAC) for Azure resources?” Microsoft Azure, January 13, 2019, https://docs.microsoft.com/en-us/azure/role-based-access-control/overview
- “Identity Authentication Best Practices,” Privacy Technical Assistance Center, July 2012, https://studentprivacy.ed.gov/sites/default/files/resource_document/file/Identity_Authentication_Best_Practices_0.pdf
- “Intrusion Detection and Prevention Systems,” National Institute of Standards and Technology, https://ws680.nist.gov/publication/get_pdf.cfm?pub_id=901146
- “Firewalls, instrusion prevention and VPN,” University of Houston Clear Lake, https://www.uhcl.edu/computing/information-security/tips-best-practices/firewalls
- “Cybersecurity for Small Business,” Federal Communications Commission, https://www.fcc.gov/general/cybersecurity-small-business
- “Definition of: end-to-end encryption,” PC Magazine, https://www.pcmag.com/encyclopedia/term/42602/end-to-end-encryption
- “Definition: Virtual private network (VPN)” ISACA, https://www.isaca.org/Pages/Glossary.aspx?tid=1969&char=V
- Kurtis Holland, “Incident Handling Annual Testing and Training,” SANS Institute, April 7, 2014 https://www.sans.org/reading-room/whitepapers/incident/incident-handling-annual-testing-training-34565
- “Data Breach Response: A Guide for Business,” Federal Trade Commission, https://www.ftc.gov/tips-advice/business-center/guidance/data-breach-response-guide-business
- See footnotes referencing NIST and SANS.
- Brad Edwards, “Fired CPS Employee Steals Personal Data Of 70,000 People, Charged With Multiple Felonies,” CBS Chicago, November 1, 2018, https://chicago.cbslocal.com/2018/11/01/cps-employee-data-theft/
- Ron Word, “2.3 million consumer financial records stolen,” NBCNews.com, July 3, 2007, http://www.nbcnews.com/id/19582088/ns/technology_and_science-security/t/million-consumer-financial-records-stolen/#.XEUjgvx7nUo
- Andrea Peterson, “The human problem at the heart of Snapchat’s employee data breach,” The Washington Post, March 1, 2016, https://www.washingtonpost.com/news/the-switch/wp/2016/03/01/the-human-problem-at-the-heart-of-snapchats-employee-data-breach/?noredirect=on&utm_term=.27f325c145f1
- Taylor Armerding, “The 18 biggest data breaches of the 21st century,” CSO, December 20, 2018, https://www.csoonline.com/article/2130877/data-breach/the-biggest-data-breaches-of-the21st-century.html
- “Following Massive Equifax Data Breach, Gillibrand Calls On Federal Trade Commission To Conduct Immediate Review Of Consumer Data Protection At Top Consumer Reporting Agencies,” Kirsten Gillibrand, September 19, 2017, https://www.gillibrand.senate.gov/news/press/release/following-massive-equifax-data-breach-gillibrand-calls-on-federal-trade-commission-to-conduct-immediate-review-of-consumer-data-protection-at-top-consumer-reporting-agencies
- Pierre Thomas, “Equifax Confirms Hackers Stole Financial Data, Launches Investigation,” ABC News, March 13, 2013, https://abcnews.go.com/Politics/equifax-confirmshackers-stole-financial-data-launches-investigation/story?id=18715884
- Kate Fazzini, “The Marriott hack that stole data from 500 million people started four years ago—investors should ask how the company missed it,” CNBC, November 30, 2018, https://www.cnbc.com/2018/11/30/marriott-hack-raises-questions-about-merger-diligence-tools-in-use.html
- Mark Hosenball, “Target vendor says hackers breached data link used for billing,” Reuters, February 6, 2014, https://www.reuters.com/article/us-target-breach-vendor/target-vendor-says-hackersbreached-data-link-used-for-billing-idUSBREA1523E20140206
- Maggie McGrath, “Target Profit Falls 46% On Credit Card Breach And The Hits Could Keep On Coming,” Forbes, February 26, 2014, https://www.forbes.com/sites/maggiemcgrath/2014/02/26/target-profit-falls-46-on-credit-card-breach-and-says-the-hits-could-keep-on-coming/#30f4cedf7326
- “AG Stein Joins 46 States and DC in $18.5m settlement with Target Corporation,” Attorney General Josh Stein, May 23, 2017, https://www.ncdoj.gov/News-and-Alerts/News-Releases-and-Advisories/AG-Stein-Joins-46-States-and-DC-in-$18-5M-Settleme.aspx
- “2018 Cost of a Data Breach Study: Global Overview” Ponemon Institute, https://databreachcalculator.mybluemix.net/assets/2018_Global_Cost_of_a_Data_Breach_Report.pdf