Lessons Learned from 1,000 Data Breaches…and Counting by Mike Donovan

02/07/2014 23:56

Companies are primarily focused on protections, when instead they should be considering what to do after the systems are breached.

Do you know your enemy? Are you fighting the wrong war? Despite everything you’re read about cyber security, despite all the breaches in the news, the fact is well-intentioned business people are still surprisingly behind the times. 

Thieves and hackers are by no means the main cause of data breaches. Cyber security is just one element—because physical records, paper and files, continue to play a major role.  And too few managers understand that they remain responsible for lost information—even if no one’s noticed it’s been lost or taken advantage of the breach.

What does this tell you?  Cyber security is just one part of the equation. Breaches happen many ways.  And it could be companies are fighting the wrong war.  They’re focused exclusively on protection, on encryption and firewalls for example, when they should be considering what to do after the systems are breached. 

My work, my company Beazley, isn’t mainly in the business of preventing breaches. Instead, and perhaps more relevant today, we’re the people who help companies survive them. We’ve resolved over 1,000 cases in the last five years.

Let me tell a few illustrative stories—and some interesting lessons to be learned.

  1. An angry client of a large, prestigious law firm broke into their offices and stole all their hard drives.  They had a great encryption system, powerful fire walls, all the latest data security software.  None of that made a whit of difference;  they were breached anyway. 
  2. A multi-state health provider sent a free wellness magazine to its older members.  They loved it.  But one month their printing system got the mailing labels wrong—each one contained not just the member’s address but their patient ID as well—and thoseincluded their social security numbers. 
  3. Outside contractors remodeling an office disposed of some old file cabinets.  Unfortunately, scores of old computer backup tapes were stored inside them. Did bad actors get hold of the data?  Was anybody hurt? No, it was only an accident.  But the company was, nevertheless, responsible.  They had to search for the tapes in a land fill and notify thousands of customers.
  4. Thieves posing as employees of a recycling company worked their way up the Eastern seaboard removing X-rays from hospital radiology labs. Their plan was to retrieve and sell the silver in the films.  The problem was the X-rays were marked with patient data, names, addresses, date of birth and social security. The crooks were not identity thieves. They weren’t after the data.  But thanks to HIPAA rules, the hospitals had to navigate around hefty fines.
  5. A doctor was in the habit of motorcycling to work.  One day his briefcase came open.  He arrived safely at his office, but hundreds of patient records were scattered three miles behind him.
  6. One company’s security system was so complete that they guarded their data against their own employees.  Staff had to type in secret codes to get information using special terminals with security cameras watching everything over each one.  An insider, however, was stealing employee identities.  She stood behind friends while they looked up data and memorized the information.

What are the lessons? 

The first one is that accidents are behind more data breaches than hackers. There are plenty of crooks out there, but your own innocent employees mislay more data. The second lesson is this isn’t only an information systems problem. Pieces of paper, devices and hard-drives, X-ray films and even mailing labels can be vulnerabilities.  A third lesson is that thieves come in all manner of disguises. They’re not just digital wizards in Russia; they’re maintenance men or angry clients or a fellow worker looking over your shoulder.

The last, most significant lesson is that you’re responsible. Thanks to HIPPA rules, legal decisions, state and federal regulations, if important data disappears your company has the burden of recovering it and notifying those who might be harmed. It doesn’t matter if it was an accident, if no injury resulted, if you didn’t even know there was a breach or what went missing.

And that brings us to data breach insurance.  It really has two parts.  The first part is traditional insurance – to protect your company against potential losses.  You need a broad, well-crafted policy, with coverage and limits to address the full variety of claims arising out of your company’s underlying exposures. (There are several ways of setting limits—and we’ve found that a per-person basis, up to, say, two million or five million records—gives us a better way to define the risk.)

The other part of data breach insurance has the characteristics of a service.  In the event of a breach, we provide—and pay for—the IT forensics experts, the specialized legal help, the PR consultants and the notifications services you need when there’s a complex breach.  The vendor is there to advise you and walk you through the steps, because, believe me, this isn’t something you want to learn while you’re going through it.

The good news is there’s a lot that you can do to mitigate the damage.  It’s in your hands and if your response is sound no liabilities may follow.

And so what happened to the companies in the stories?  Our IT experts tracked down what the law firm lost—and we helped notify their clients. We worked with the company that lost its backup tapes. They were never found, but thanks to us their liabilities were covered.  For the mailing labels, we know how to notify the readers.  For the hospitals with the missing X-rays we supplied expert IT specialists—because some of them had no index for their records. We identified and notified the patients of the motorcycling doctor. We helped find the insider who was memorizing information­—and, even more difficult, we identified the people whose identities she stole. 

Data breaches are, unfortunately, a part of doing business. No matter how well you’re protected they will happen. It isn’t “if”; it’s “when.”

And a final lesson to be learned: A data breach doesn’t have to be a disaster—but mishandling it is.  

Mike Donovan is the Global Leader of Technology, Media, and Business team with Beazley, the leading specialist insurer, pioneering data breach response insurance through the Beazley Breach Response (BBR) product.