by Matt Borick You may have heard of a recent “international incident” involving Sony Pictures and North Korea over the movie The Interview, a comedy about a plot to assassinate Kim Jong Un, North Korea’s leader. Computer hackers in North Korea did not appreciate this storyline, and voiced their disapproval by launching a massive cyber attack on Sony. Nearly 50,000 current and former Sony employees had their personal information released. Multiple lawsuits have already been filed.
Sony is just one more in a growing list of prominent companies – including Target, Home Depot, Staples, and Niemann Marcus, to name a few – to suffer a data security breach, and make headlines for it, in the recent past. (In fact, this was Sony’s second well-publicized breach.) But the misfortune that has fallen on Sony and these other business icons is certainly not unique to them. The same thing could happen to any business, large or small, regardless of where located.
And, in fact, it already has. According to a recent Ponemon Institute study, more than 40 percent of all companies surveyed had suffered significant data breaches in 2014. And just to be clear, data breaches are not confined to the private sector: even the Department of Homeland security has been hacked. With data breaches, it is simply not a question of “if” one will occur, but rather a question of “when.” This is easy to see once you consider that roughly 60,000 new pieces of malware are written every day.
Approximately 80 percent of all data breaches result from relatively unsophisticated attacks made possible by simple human error, such as misconfigured systems or applications. And nearly half of all breaches are tied to vulnerabilities of outside parties (e.g., contractors) working with the company that ultimately is breached. A prime example is Target, whose breach originated when an employee of a small HVAC company clicked on a link in an unverified e-mail.
Just like their victims, data breaches can come in all shapes and sizes. They can range from sophisticated electronic infiltration all the way down to the physical theft from a doctor’s driveway of boxes containing sensitive medical information. They can involve 100 records or 100 thousand. Data breach perpetrators have included seasoned hackers, disgruntled employees, zealous activists (“hacktivists”), organized crime rings, and rogue nation states. These perpetrators act under a variety of motives, ranging from extortion to revenge to competition to politics to protest to “street credit.” Moreover, personal data has tangible value on the “black market,” ranging from $1 for a credit card number to $50 for a medical record.
But regardless of the means of the breach, the identity of the perpetrator, or the reason behind the attack, the cost implications from a data breach can be substantial, if not enormous. Early estimates indicated that losses to Sony from its most recent breach ultimately could be half a billion dollars. Target recently reported costs of $150 million for its breach. A 2014 study by the Ponemon Institute estimated the average cost of a substantial breach (between 5,000 and 100,000 records) to be $5.9 million, or $201 per record lost or stolen – not including potential regulatory penalties or legal liability. And these penalties can be steep, in some cases over $1 million. Here in Vermont, a prominent bank paid $83,000 in penalties after a breach; a health food chain paid $15,000 (plus another $15,000 in required system upgrades); and a small country store paid $3,000.
At this point, the best way for a business to avoid all of the pitfalls of a data breach might seem obvious: don’t get breached. But as suggested above, complete prevention is not a realistic goal; new exploits come out every day, so what seems like the perfect plan today will be imperfect by tomorrow. Instead the focus must be on preparation, detection, and response. A business’s performance in these three departments could mean the difference between a $5,000 problem and a $5 million one.
Preparing for a data breach requires businesses to undertake many key activities, including the creation of a data security team (with both in-house and external members); auditing the company’s data collection, storage, usage, transfer, and disposal; development of a breach response plan; employee education, training, and communication regarding smart data practices; conducting data breach “fire drills;” maintaining compliance with applicable laws, regulations, industry standards, etc; review of agreements with third-parties with access to company data; and assessment of insurance coverage. But before all of these, preparation starts at the “50,000-foot level” with the establishment and promotion of a corporate culture that recognizes the importance of privacy and data security. The weaker the commitment, the greater the risk. Just ask Sony, which apparently used the default word “password” to control access to various networks and social media accounts.
Early detection of a breach also is critical for minimizing damage. Recent studies have shown that on average it can take more than 200 days to discover a breach. Needless to say, that is a lot of time for damage to build up. Better detection can be achieved through both technology (e.g., malware detection tools) and good common sense, such as watching for unusual data patterns and anticipating times when susceptibility might be high (eg, before a long holiday weekend).
Finally, a swift and effective response to a data breach is critical, and it all starts with a dedicated response team and a solid response plan. The good news, as borne out in the Ponemon survey, is that many businesses already have plans and teams in place. A successful response will require, among other things, immediate mobilization of the team, containment and stabilization of the breach, proper and timely notifications to regulators and persons whose data has been compromised, meaningful public outreach and messaging, and institution of call centers and protective services (eg, identity theft monitoring) to assist those affected by the breach.
The notification component of a data breach response can be particularly tricky, and failure to provide all required notices can result in fines and penalties, as well as increased losses to affected parties, diminished consumer confidence, and other undesirable outcomes. Forty-seven states, including Vermont, have enacted statutes requiring data collectors to notify regulators and affected individuals of breaches involving personally identifiable information (PII).
Whether we like it or not, data breaches have become an unfortunate – and inevitable – reality in today’s data-driven world. The issue of data security (or “cybersecurity”) is one of national and international importance, but the battle against it needs to be fought on all levels. And because threats and risks are increasing every day, it is critical that businesses understand both the importance of being prepared for a data breach before it happens and the need to act quickly in response.
Mathew Borick, of Downs Rachlin Martin Litigation Director, helps clients reduce data security risks.