Data Breaches

The theft of information, also known as data breaches, is a crime that was virtually unknown two decades ago is flourishing in the 21st century. A data breach is defined as the theft of personal information including names, Social Security Numbers, birth dates, medical information, user names and passwords, and financial account information such as credit or debit card numbers. With the increased reliance on information technology organizations are increasing susceptible to this type of fraud. Information thieves are misappropriating data and selling the stolen information on the darknet. The Identity Theft Resource Center reported that as of July 5th, 2016 there were 507 reported data breaches thus far in 2016. This is an increase of over 16% over the year-to-date number of data breaches for 2015.

Over the years, the theft of data has become a profitable crime. This is because in the modern economy, businesses offer goods and services on credit to strangers based on the data in the buyer’s credit history. With telecommunications and internet technology, buyers and sellers do not need to meet in person to consummate their transaction. The internet has made access to information almost instantaneous. Increased access to data on the internet has provided criminals easier access to personal information from both inside and outside the US. Identity thieves can use the internet as a means to gather an individual’s identification without ever coming into personal contact with the individual.

Criminals breach the IT security of companies, not-for-profit organizations and even governmental units and steal information from their computers. Often human resource departments are targeted looking for payroll information which includes Social Security Numbers. Retail outlets are also targeted because they store customer information, including credit and debit card numbers on their computers. Data breaches tend to get substantial amounts of information for the criminals with a minimum risk of being caught. The cost of a data breach can be significant. Kroll reported that in 2014 the average cost of a data breach to a company was $5.9 million with an average cost of $201 per record stolen. Because customers lose confidence in businesses that are victims of identity theft the average cost of lost business after a data breach was $3.2 million in 2014. Some organizations victimized by data breaches include the White House, the Office of Personnel Management, the Internal Revenue Service, Chase Bank, Target, Home Depot, and many others.

The theft of data isn’t the only way to compromise an organization’s information. Another common type of data breach is the installation of ransomware on a victim’s computer. Ransomware is a type of malware that infects a computer and encrypts the information on the computer. The criminals then demand the victim pay a ransom to receive a key to decrypt the information on their computers.

Some interesting statistics on data breaches reported by BitSight include:

• 37.2% of organization in the United States had a botnet grade of “B” or lower. These organizations have a higher chance of having a data breach of their information security systems conducted by computer hackers.
• 54.8% of organizations have a Sender Policy Framework grade of “C” or lower. These organizations have a higher chance of falling victim to spoofing or phishing attacks.
• Crypto-style ransomware attacks on companies grew by 35% in 2015

It is important for companies to understand their risks of becoming a victim of a data breach. Data breaches can be conducted by external attacks, internal attacks, lost data, and even by foreign governments attacking businesses. The majority of data breaches are conducted by criminals gathering information to sell to other criminals. Good internal controls over information technology are a necessity in today’s business environment.

There are a number of legal issues associated with data breaches, In addition to federal laws such as HIPPA, Gramm-Leach-Bliley and the Fair and Accurate Credit Transactions Act that require companies to maintain security over specified information, most states have passed laws that require companies to notify consumers in the event of a data breach. Also, the courts have determined that companies have strict liability for lost information. In other words, the victims do not need to prove the stolen information was used in an identity theft. The fact that they need to pay to monitor their credit or take other actions to protect their identity creates sufficient grounds for damage awards. Businesses must use reasonable procedures to secure data in their possession. The procedures must be documented in writing and be tested or audited on a periodic basis. There is no way to guarantee that an organization will not become a victim of a data breach, but good internal controls can reduce the risk of becoming a victim of this type of fraud.

Footnotes:
1. www.idtheftcenter.org/images/breach/ITRCBreachReport2016.pdf
2. www.kroll.com/en-us/cyber-security/data-breach-prevention/cyber-risk-assessments/data-security-statistics
3. www.bitsighttech.com/blog/data-breach-statistics