Lost Paper Files, Portable Memory Devices, Not Hackers, Cause Most Data Breaches

Hackers and “hacktivists” may be getting a bad rap when it comes to the majority of cause of data breaches. A survey conducted by the Society of Corporate Compliance and Ethics (SCCE) and the Health Care Compliance Association (HCCA) found hacktivists accounted for only 11 percent of data breaches, while lost paper files and portable memory devices accounted for 65 percent. Surprisingly,  the survey also found that breach remedy costs were lower than expected. The majority of respondents reported $50,000 or less per breach event. The purpose of the survey was to determine the prevalence, cause, and consequences of data breaches.

An example of such a loss was announced on January 21, 2013,  by the Lucile Packard Children’s Hospital at Stanford and the Stanford University School of Medicine. In a press release, the Children’s Hospital and School of Medicine announced that they were notifying patients by mail that a password-protected laptop computer containing limited medical information on pediatric patients was stolen from a physician’s car away from campus on the night of January 9, 2013. Packard Children’s and the School of Medicine launched an investigation with security and law enforcement and began contacting patients potentially affected immediately following the discovery. The information includes names and dates of birth, basic medical descriptors, and medical record numbers, which are used only by the hospital to identify patients. In some cases, there was limited contact information. There is no indication that any patient information has been accessed or compromised.
 
Survey Findings

Four hundred fifty compliance and ethics professionals from a wide range of industries and private and public companies as well as nonprofit organizations responded to the survey, which was conducted during the last quarter of 2012. According to the survey, remediation tended to be the responsibility of the compliance and ethics office (69 percent) with information technology (IT) coming in second (15 percent). The survey findings include:

  • 59 percent of respondents reported that their organization had a breach incident;
  • 37 percent of the organizations reporting a breach incident, reported multiple breach incidents; 17 percent reported two or three incidents, while 20 percent reported four or more breaches;
  • 38 percent reported that lost paper files were the most likely cause of their organization’s last data breach, while 27 percent reported the cause of data loss was the loss of a device such as a memory stick and only 11 percent reported hackers wee responsible for data breaches;
  • 7.2 percent of data involved data processors, and 16.6 involved vendors or suppliers;
  • 47 percent of respondents reported that the latest data breach was reported by an employee other than IT and 15 percent of the reports came from a customer that had notified the organization of the breach;
  • 59 percent of the respondents reported that the cost to resolve the breach was less than $50,000, while 25 percent reported that the breach was resolved at no cost, only 3 percent reported costs that exceeded $500,000 dollars.

Words of Advice from HCCA and SCCE

“Once again we find that an overwhelming number of data breaches are caused by employees’ poor handing of paper and devices, ” Roy Snell Chief Executive Officer of SCCE and HCCA, said, adding that if as much effort was put into internal compliance programs as technical security, we would be more effective at preventing data breaches. “Data breaches are most often caused by people who make mistakes that education, auditing, monitoring, policies, anonymous reporting, etc. can address,” according Snell. “In other words, we need the compliance officer to ensure their compliance program covers this risk area. The majority of data breach problems can not be fixed with Postini, Kaspersky, and Norton Antivirus, yet we continue to focus on software as a solution to problems caused by people.”

Organizations need to stress to employees the importance of printing out only what is necessary and to be vigilant maintaining control of documents and portable memory devices at all times, according to the survey. Organizations should continue to encourage employees to report data losses immediately and should train employees on Internet safety, both in the office and out, to minimize the risk of  a hacker attack. Finally, the survey cautions organizations to be aware that the costs of a data breach in the survey only reflect hard costs, they do not take into account lost business or brand value due to customer or partner mistrust or negative publicity.