“Privacy laws around the globe are shifting the way companies prepare for and manage data breaches. Our report highlights the collision of data security, privacy and compliance, and provides guidance on how companies can take action on key response items,” said Theodore J. Kobus III, leader of BakerHostetler’s privacy and data protection team.
Now in its fifth consecutive year as the only report of its kind produced by a law firm, the report includes metrics related to key incident response areas of concern for entities of all sizes and across all industries.
Trends in incident cause and response metrics:
Phishing remains the leading cause of incidents tracked by the report, and roughly one-quarter of all incidents BakerHostetler responded to in the past year were caused by lost devices, inadvertent disclosures or system misconfigurations. Across the 750 incidents analyzed, 55% had employees involved as the responsible party, through a mix of simple mistakes, to falling for phishing or being socially engineered.
“Raising employee awareness and employing multifactor authentication are still two of the best defenses to address the employee risk factor,” said Kobus.
Forensic investigations on the rise. In 2018, forensic investigations were conducted in 65% of all incidents analyzed in the report. Forensics were used in 79% of network intrusions, a 14% increase from 2017. Although more companies are investing in security tools that can assist in investigating security incidents, few companies have the experience and capacity to adequately investigate without third-party help.
The average cost of the forensic investigations decreased from an average of $84,417 in 2017 to $63,001 in 2018. However, for investigations of network intrusion incidents, the average rose to $120,732 from $86,770 in 2017.
Entities continue to improve their detection capabilities in-house. In 2018, 74% of incidents were detected internally, a marked rise from only 52% in 2015.
Increasing scrutiny from regulators. While many U.S. entities are subject to the European Union General Data Protection Regulation (GDPR), every state in the U.S. now has its own law governing data breach notification requirements, and state attorneys general continue to increase their oversight activities and expand their enforcement regimes through new state laws or increased use of existing laws. In 2018, 34% of the incidents that required consumer notification received inquiries by state attorneys general, compared to just 16% in 2015. Other enforcement agencies are also becoming more active, particularly in the financial and insurance areas.
Companies make gains in some response metrics. A historical look at the response timeline for incidents shows that entities have made steady improvements in containment and time to complete forensics. Containment has remained in the range of six to eight days over the past five years, but the length of forensic investigations has been significantly reduced, from 47 days in 2015 to 28 days in 2018.
Despite new regulations pushing entities to notify quickly, the report shows a 67% increase in the time from discovery to notification, averaging 40 days over the past few years to 56 days in 2018.
Key findings and recommendations:
Get ahead of the compliance curve. New laws are inevitable, so try to anticipate what will be enacted, because most new laws borrow heavily from existing laws and core privacy and security principles: transparency, confidentiality, integrity, availability, fairness and data minimization.
Conduct M&A due diligence. Evaluate digital risks to assess the target’s privacy compliance and security posture before the merger or acquisition. Compromise assessments before or immediately after acquisitions of new entities help find undetected issues and support integration efforts.
Litigation persists. Class actions arising from data breaches or that allege violations of privacy laws continue, and outcomes remain inconsistent, with outliers in both court rulings and settlements. Derivative actions are becoming more popular, based on both data breaches and statutory compliance grounds. The plaintiffs’ bar continues to be creative to survive motions to dismiss, and some are coordinating efforts with regulators.
Use “compromise response intelligence.” Leverage the misfortune of others to identify emerging risks: Identify the issues affecting other companies and address them before you become a victim.
Nation-state attacks drawing more attention. Nation-state cyber operations continue to support espionage, economic development (through IP and trade secret theft) or sabotage, and collateral damage to unintended victims has been significant. It has become increasingly difficult to differentiate between the tactics, techniques and procedures used by nation-state actors and criminal actors. Good data on how often these attacks occur is hard to find, partly because they go undetected or unreported.