The Privacy and Data Protection team at BakerHostetler, a law firm with offices across the U.S, has released a report stating that human error was responsible for the majority of the security incident cases they worked in 2014.
The report says that employee negligence was responsible 36 percent of the cases, followed by outside theft (22 percent), insider theft (16 percent), malware (16 percent) and Phishing (14 percent). The numbers, based on more than 200 incidents, align somewhat with other larger reports released this year - despite the small sample size.
Looking at the industry breakdown, none of the listed sectors are immune, but healthcare topped the list with the most incidents reported last year, mostly due to strict notification laws.
Retail and hospitality, followed by financial services, professional services, and education, rounds out the firm's list – but there's another side to the data. While healthcare had the most incidents, the professional services industry had the incidents with the largest severity.
"While PHI incidents are disclosed more frequently, driven in part by HIPAA presumption that a breach occurred, the severity when measured by number of affected individuals is often less (many incidents affect less than 10 people). It is also not surprising that professional services and retail/hospitality services providers top the list when it comes to severity. And because incidents affecting these sectors often require forensic investigation and draw more media coverage, the cost and potential financial consequences are dramatically higher on a per-incident basis," the report says.
Another interesting tidbit from the report is focused on detection. While the forensics vendors in the InfoSec space report that most incidents are not self-detected, the clients that went to BakerHostetler discovered their own problems 64 percent of the time.
While the majority of the firm's clients were dealing with incidents related to electronic data, 21 percent of them were paper-related incidents, which isn't a small number considering that most medical offices still use paper records – law firms too.
The report goes on to note that a majority of the clients offered credit monitoring in the aftermath of a given incident.
"Whether paper or electronic, the data at risk that led to the decision to notify in 58 percent of our incidents was data subject to state breach notification laws, such as Social Security or driver’s license numbers and financial account information. Health information was affected in 34 percent of the incidents and eight percent involved payment card data," the report adds.
When it comes to regulatory action, multi-state inquiries were less than five percent of the incident's aftermath, and only 59 cases required attorney general notification.
In the retail sector, merchants who had payment card data compromised saw fines and assessments from all four card brands ranging from $5,000 USD to $50,000 USD, with an initial demand for operating expense and fraud assessments ranging from $3 to $25 USD per card.
The bottom line of the report though is that humans are still a top risk, and it's a problem that isn't easy to deal with or address.
“While sophisticated software and monitoring/detection systems have become more widely adopted, our data suggests that many security breaches still result from low-tech missteps. Chief information security officers should combine general security awareness training with state-of-the-art data security architecture, to minimize vulnerabilities,” said Gerald Ferguson, co-leader of BakerHostetler’s Privacy and Data Protection Team.
The full report is available here.