Human error was the number one cause of data security incidents according to a new report released by the Privacy and Data Protection Team at US law firm BakerHostetler. In the incidents that the firm worked on last year, employee negligence was responsible 36% of the time. That was followed by theft by outsiders (22%), theft by insiders (16%), malware (16%) and phishing attacks (14%).

The BakerHostetler Data Security Incident Response Report provides insights generated from the review of more than 200 incidents that the law firm advised on in 2014. It looks at the nature of the threats faced by companies, as well as detection and response trends, and the consequences that follow. The firm has more than 900 lawyers located in 14 offices across the US.

The report also makes clear that no industry is immune from threats to its sensitive information. Industries represented in the report include education, financial services, retail, insurance, technology, entertainment, hospitality and, in particular, healthcare sectors. While healthcare topped the chart of industries affected, that is due in part to strict data breach notification laws that all healthcare providers must follow.

“It is important for companies to understand that data security is not just an issue for retailers, financial firms and hospitals. Incidents do not only occur at businesses that have payment card data or protected health information,” said Theodore Kobus, co-chair of BakerHostetler’s Privacy and Data Protection team. “Privacy and data security issues are firmly entrenched as a significant public and regulatory concern and a risk that executive leadership and boards of directors must confront.”

Rapid Response is Critical

The BakerHostetler Report shows that incidents were self-detected 64% of the time. Of the incidents reported by a third party, 27% were due to theft. According to BakerHostetler, a quick response to an incident is important for several reasons, including creating the opportunity to stop an attack in its early stages before sensitive data is accessed, preserving available forensic data to enable a precise determination of what occurred, and generating affirmative evidence to help the company respond in a way that protects affected individuals and minimizes potential financial and reputational consequences.

For incidents that involved identifiable dates of detection and notification, the average amount of time that elapsed from incident occurrence to detection was 134 days. Many of the incidents the firm worked on involved protected health information (PHI), and on average notification was made within 50 days of the time the company became aware of the incident (In the US notification is required within 60 days of discovery when PHI is involved).

Among the other notable statistics in the report are:

• Not all security lapses involved the theft or hacking of electronic records. Of the incidents included in the report, 21 percent involved paper records
• 58% of the incidents required notification of affected individuals – based on state breach notification laws in the US
• Credit monitoring was offered in 67% of the incidents
• In 75 incidents where notification letters were mailed, only five of the companies faced litigation by potentially affected individuals
• Attorneys General were notified in 59 cases, resulting in inquiries 31% of the time. Multi-state inquiries were initiated less than 5% of the time
• For incidents involving stolen payment card data, PCI Data Security Standards fines for non-compliance ranged from $US5,000 to $US50,000 per matter. Initial demands for operating expense and fraud assessments ranged from $US3 to $US25 per card involved

“While sophisticated software and monitoring/detection systems have become more widely adopted, our data suggests that many security breaches still result from low-tech missteps. Chief information security officers should combine general security awareness training with state-of-the-art data security architecture, to minimise vulnerabilities,” said Gerald Ferguson, co-leader of BakerHostetler’s Privacy and Data Protection Team.

The full report can be found here.