Data breach price tag reaches $4M

Organizations experiencing data breaches are once again paying a higher price than the year before, according to a study by the Ponemon Institute and sponsored by IBM. According to the report, the average cost of a data breach is now $4 million, up from the $3.8 million in the same report for 2015.

Price tag

Prices for dealing with data breaches are consistently rising. In 2016, the average cost per lost or stolen record according to the report is $158, up from $154 in the 2015 report and $145 in the 2014 study. This increase represents a 29 percent increase since 2013.

The average cost of a stolen or lost record varies depending on the industry involved, with lost or stolen health care records worth $355, reaching a record high in 2016. It is also important to note that legal costs associated with breaches are rising as well. Forty-seven states in the United States have separate breach notification laws. Additionally, the average cost of a legal settlement after a breach in the U.S. now stands at $880,000.

Root cause

When analyzing the root causes of data breaches, the study found that 48 percent of data breaches were the result of malicious attacks to an organization. According to Larry Ponemon, Chairman and Founder of the Ponemon Institute, “these breaches also take the most time to detect and contain. As a result, they have the highest cost per record.” Much damage can be done before the breach is even identified. The report found that the average time to identify a breach now stands at 201 days.

What can be done?

The report recommended that organizations have a response team at the ready. Ponemon noted that “Investments in certain data loss prevention controls and activities such as encryption and endpoint security solutions are important for preventing data breaches.” According to the report, by putting some prevention plans in place, organizations can experience significant cost savings. The process can effectively be streamlined, saving time and money.

We need a bigger boat: Whaling, the latest threat to cybersecurity

By Lana Smith, DePaul University College of Law, WK Legal Scholar

In the early 2000’s a phenomenon known as “phishing” began. This neologism received its name from the similarities it has with the leisure activity, since both use something as bait in order to catch a victim. Phishing, though, exists in digital form, and is the attempt to acquire personal information from internet users by “phishermen” being disguised as a trustworthy entity, such as the user’s bank or credit card company, according to the Handbook of Information and Communication Security (2010). The information collected from users who take the bait can then be used to commit crimes such as fraud and theft of the user’s funds or identity. Due to the dramatic increase in phishing throughout the years, the Federal Trade Commission created the Anti-Phishing Working Group to slow the increase of phishing emails, websites, and popups. However, the Group may need a bigger net in order to catch the latest trend in cyber security attacks.

Unlike phishing that targets everyday Internet users, “whaling” or “spear phishing” is designed to target upper-level managers in private companies. Hackers who use whaling are attempting to deceive the executives in order receive confidential company information. Whaling can take a wide range of forms, such as an email with its contents specifically crafted to target the person’s role in the company, a request from the CEO to deposit funds in a particular bank account, and a complex legal subpoena.

Regrettably, many executives are falling for the whaling scams. In 2008, a subpoena created to look as if it were from the Federal Bureau of Investigation (FBI) was sent to 20,000 corporate CEOs, 2,000 of which clicked the whaling link in the email. This link recorded the CEOs passwords and forwarded them to whaling “phishermen” who hacked into sensitive company materials. In a response to whaling attacks, the FBI created the Internet Crime Complaint Center (“C3”) in late 2013. C3 reported in the following year more than 7,000 U.S. companies had been affected by whaling alone, equating to more than $740 million dollars in losses.

The health care industry has also felt the turbulent wake from whaling attacks. In May 2015, the Ponemon Institute published the Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data. It found that health care organizations’ and their business associates’ total data breach costs were approximately $6 billion. The study showed more than 90 percent of represented health care organizations had a data breach, with 40 percent of those having more than five breaches in the past two years. Half of the organizations had little to no confidence in their ability to detect all patient data loss or theft, and with the average cost of a data breach exceeding $1 million, health care organizations and their business associates should seek the proper measures to help abate whaling.

To complicate matters, a recent decision in the Seventh Circuit, Remijas v. Neiman Marcus Group, reevaluated the “substantial risk” standard for Article III. Neiman Marcus released a statement indicating 350,000 of its customers’ credit cards were possibly exposed to malware, and 9,200 cards of this group had in fact been used fraudulently. The court held that 2.5 percent of compromised credit card holders is sufficient to show a substantial risk to an entire universe of credit card holders with breached data. While Neiman Marcus argued the possibility of a future injury was too speculative to create Article III standing, the Seventh Circuit concluded the harm was “certainly impending” rather than possible. If followed in other circuits, this decision may open the door for claimants to file suit for future harm if a data breach has occurred in a health care organization or through a business associate.

With 88 and 90 percent of breaches occurring from whaling in health care organizations and their business associates, respectively, each should review their procedures for protecting against whaling and explore forms for the transference of risk. Beyond indemnification clauses in contracts, health care organizations and business associates should consider purchasing cyber risk insurance to eliminate or reduce their exposure to Remijas-type future damage claims. Most policies should contain first-party protections, which satisfy costs for providing notifications and cover some amount of credit monitoring and/or identity theft protection. Further, most policies provide insurance to defend and satisfy the liability created when claimants pursue the health care entity. Beyond the protections through cyber risk insurance, health care organizations and business associates should also contract with monitoring services to further increase their protections against whaling and other common cyberattacks. If properly prepared, the health care industry may be able to better navigate the waters of large whaling and phishing attacks.

Lana Smith is currently pursuing her law degree and health law certificate from DePaul University College of Law. She completed her undergraduate degree from the University of Michigan in International Studies – Comparative Cultures & Identities. Lana is the Co-Director of Outreach & Recruitment of the Jaharis Health Law Institute Student Board, a staff writer for the Institute’s online publication, the E-Pulse, and is an active Health Law Fellow.