5 Data Breach Risks You Can Prevent

The word "information" may sound simple and boring, but the owners of information have access to power, money, and immense competitive advantage. It's not surprising, then, that companies devote significant time, effort, and resources to protecting their proprietary and valuable information.

As the recent spate of hacking incidents portends, data security breaches and threats are increasing, despite growing awareness. President Barack Obama signaled as much when he issued an executive order, "Improving Critical Infrastructure Cybersecurity," earlier this year, highlighting the urgency of the issue.

In the face of a data breach, the legal, operational, and reputational risks are immense. The financial toll of a cyberattack can be staggering (see table below showing some historical examples). The consequences tend to be immediate. Not too long ago, organizations saw protecting against these threats as the responsibility of the IT department. Yet as the world has become increasingly reliant on the transfer of electronic data — for business, business relationships, and social interaction — the risk of losing critical information has risen. Data protection has become a topic of discussion at the board level and a top priority for senior executives, particularly those tasked with driving and managing the growth of an organization.

A Sampling of Significant Data Breaches Since 2007

Source: Privacy Rights Clearinghouse, "Chronology of Data Breaches," www.privacyrights.org

In all likelihood, you could look at your own organization and see examples of how the electronic transfer and tracking of information is expanding, such as:

• An increase in online sales and orders.

• Increased activity for online engagement with customers and suppliers.

• More frequent social media activity by both the company and its employees.

• Growing digital transfer of contracts and business agreements.

• Additional tracking of employee activity, operational processes, and results.

Thus, all of this increased electronic activity requires larger and more detailed databases. With so much valuable information now residing in the digital space, it is crucial to understand the factors contributing to the risk of cyberbreaches. Here are five of the most common risk factors:

1. Technology failure (firewall, server compromised)

2. Criminal act by outsider (hacking, portable device theft)

3. Employee misconduct (collusion with competitor, theft, unauthorized disclosure)

4. Human error (lost or unsecured data portals, misdirected data, improper security configurations)

5. Vendor error (misdirected data, packages, email)

If it has not been done already, it would be worth your while to take the above list to internal IT and risk management professionals to discuss your company's awareness of and vulnerability to each risk, and to get a clear picture of protections that are currently in place. Your organization might be a leading data protection pioneer that has already developed a comprehensive approach to dealing with each of these contributing factors, but in all likelihood, your company has been more reactive to changing information protection risks and has not created specific, proactive, plans that have been vetted by a cross-functional team.

That last piece is essential: If company headquarters personnel are the only individuals that have been included in the information protection discussion, you probably are overlooking critical vulnerabilities to your business.

Beyond internal stakeholders, an ongoing dialogue should be maintained with a number of other professionals who deal exclusively with cybersecurity matters. Legal experts, IT companies, public relations practitioners, forensic accounting specialists, insurance brokers, and insurance carriers all have a role to play in ensuring that your company is abreast of the rapidly evolving knowledge of this entity risk and prepared to respond effectively in the case of a breach. Those responses typically take three forms:

1. Retain: Keep the risk within the organization. In this instance, an entity will hopefully choose to spend resources and time to fully evaluate the risk and determine measures to reduce it. This is where technology and cyber-risk experts can be valuable in properly identifying risk factors and levels.

2. Allocate: Involve in-house legal counsel — and potentially external counsel — to contractually shift the risk to customers, suppliers, and business partners of the entity.

3. Transfer: Transfer the risk to another entity, which is primarily done through obtaining insurance coverage that specifically responds to the impacts of this risk. This is where a knowledgeable insurance broker specializing in cyber-risk, and the expertise of forensic accounting and claims consultants experienced in measuring losses, can be valuable and critical.

Importantly, shareholders and lending institutions expect a robust data security program to be in place. That program, as mentioned above, should include an insurance component. Woefully, companies are increasingly finding that their expectations of being properly protected after a cyber-event fall well short, and the financial impact is far greater than expected. So it is important to highlight the basic types of coverage that can be obtained via the growing number of specialized cyber-risk insurance products. They can be separated into two major categories, with various options therein:

1. Third-party liabilities: This set of protections covers damages and defense costs associated with security or privacy breaches of third-party information contained in a company's network or resulting from failure to protect sensitive (confidential) information. It can also cover costs associated with responding to and complying with regulatory action.

2. First-party liabilities: This set of protections is more multifaceted. It can help to recover crisis management and event-related expenses, generally associated with the cost of a public relations firm. It can cover security breach remediation and notification expenses, services generally provided by forensic technology firms or companies specializing in data analytics. Computer programming and electronic data restoration can also be covered by first-party liability products, as can costs associated with business interruption and extra expenses. The costs of computer fraud and e-commerce extortion can also be insured, covering direct loss or extortion of money, securities, and property.

Clearly there is a financial and resource limitation to protecting against each and every possible data breach or cyberattack, but it is critical for organizations to develop awareness and stay informed of the evolving options for managing these risks and putting the above strategies in place.

As recently as a few years ago, companies believed that the financial burden of performing a comprehensive cyber-risk analysis and implementing programs to try to minimize or prevent cyber-risk were not practical. Today, the dynamic has changed. While cyber-risk is a relatively new phenomenon, we can take guidance from one of the giants of American entrepreneurship, Benjamin Franklin, who said, "By failing to prepare, you are preparing to fail."

kCura Releases Relativity 8

Chicago-based kCura launched Relativity 8, adding key new features including email threading, an easier method to calculate precision and recall, and the ability to process EnCase Logical Evidence Files.

The e-discovery software maker claims Relativity's new search architecture decreases index build times by up to 70 percent and returns search results up to 20 times faster. KCura also says back-end structural improvements in version 8 accelerate document-to-document viewing while reducing server utilization.

Relativity Analytics, an add-on module, now includes email threading as well as near-duplicate detection, language identification, and automatic detection of repeated content to help users build analytic indexes.

KCura has also made improvements to its technology-assisted review. Relativity 8 supports seed sets with previously coded documents and provides the option to use a control set to calculate precision, recall, and an F1 Score or f-measure.

Navigating in Relativity 8 includes a new Favorites feature and an overhauled image viewer. The improved user interface also has new features for redactions, including full-page and inverse redactions, which allows a review attorney to select responsive content and automatically redact the remainder of a document. The new Relativity also supports tokenless two-factor authentication and has better Active Directory integration, which gives organizations more options to secure access to Relativity and provide granular content review.

Relativity 8 can directly process EnCase Logical Evidence Files (L01) and automatically decrypt files for processing and imaging. KCura has unified its application program interfaces to make for a more consistent development interface and now supports an AppDomain isolation, which allows applications and custom code to run in their own sandboxes.

For more information on Relativity 8, see kCura's website.

What to Do About High Data Breach Costs

It's not always good to be Number One. According to a newly released report from the Ponemon Institute, the U.S. is the most costly country in the world in which to have a data breach. In its "2013 Cost of Data Breach: Global Analysis" study, Ponemon reported the total cost of a breach incident in the U.S. to be $5.4 million, or approximately $188 for every exposed record.

Lost business costs, such as abnormal turnover of customers, reputational harm and diminished goodwill, associated with a data breach averaged over $3.03 million in the U.S. Notification costs are a leading driver of total breach response costs, and giving notice too soon can raise that cost even higher, according to the report. Although the most expensive breaches were those caused by malicious attacks by hackers or criminal insiders, the majority of breaches — 63 percent — resulted from either negligence or system glitches.

Costs associated with data breaches were highest in heavily regulated industries, such as health care, financial, and pharmaceutical businesses. The per capita cost was $233 for healthcare organizations, $215 for financial businesses, and $207 for pharmaceutical companies, all well above the overall mean cost of $136. Public sector organizations and retailers had the lowest per capita cost, coming in at $81 and $78 respectively.

Faced with continuing front-page stories of cyberattacks and data breaches, all entities must avoid a "who would want my data" approach to issues of data security and breaches, and instead adopt a "when, not if" mind set. The good news, as confirmed by the Ponemon study, is that implementing robust IT systems — such as intrusion detection or protection systems — and business processes to minimize and mitigate the risk of a data breach really pays off.

RISK MANAGEMENT

An internal risk management program, including the establishment of strong policies and procedures, training, and insurance can reduce the chances of a data breach and mitigate the damages if a breach occurs. Ponemon found that implementing solid data security practices translate into significant savings if a breach occurs. Having an in-place data breach response plan cut per record costs by approximately $42. Maintaining a strong security posture reduced costs by $34, and appointing a chief information security officer saved another $13.

Steps organization should take to manage and mitigate the risks of a data breach include:

• Review internal policies and procedures regularly to make sure they are current and compliant with the ever-changing statutory and regulatory framework governing confidential information. Forty-six states have laws dealing with notification and security requirements, and foreign laws must be incorporated into the policies and procedures of companies that do business outside of the U.S.

• The policies and procedures must be distributed to, and followed by, employees.

• A comprehensive incident response plan should be implemented and updated regularly. Having a plan in place before a breach incident occurs can substantially mitigate the costs and other harmful consequences of a breach.

• A data security consultant should be retained to conduct a yearly security risk assessment to identify any vulnerability in processes and procedures for handling confidential data. Some laws, such as the Health Information Portability and Accountability Act (HIPAA), require periodic risk assessments.

• Education of employees is critical to the success of any compliance program. All employees must be educated and trained regularly regarding those policies and procedures, and any applicable laws and regulations. Some laws, such as the Massachusetts Data Protection Law 201 CMR 17.00, mandate these types of training programs. The value of adequate training cannot be overstated, particularly in light of the Ponemon finding employee negligence accounted for 33 percent of breach incidents.

• Work closely with business partners to ensure the proper handling of confidential data. Vendors are the cause of at least 1/3 of all data security incidents, and Ponemon found that third-party error is the number one factor increasing the cost of a data breach. Contracts with vendors, franchisees, and other third parties should carefully address the issues of data security, compliance with relevant laws and industry requirements, breach response, indemnification, and insurance for data breaches.

• Ensure that all data collection and sharing practices comply with your organization's privacy policy. Regulators, such as the Federal Trade Commission, are particularly attuned to this issue.

• Consider retaining a chief information security officer to serve as an in-house watchdog over data security issues.

CYBERINSURANCE

Cyberinsurance can help organizations respond to and mitigate the potentially devastating consequences of a data breach. Most cyberinsurance policies provide invaluable assistance to help the insured respond to a breach, including first-party coverage for an attorney breach coach, forensic technicians, notification providers, credit monitoring services, crisis management professionals, and third-party liability coverage for legal defense costs and fines. Many insurers have experienced teams of professionals ready to spring into action in the crucial period directly following a breach event and to defend against any lawsuits that may arise from the breach. Cyberinsurance can provide a lifeline, particularly for small and midsize businesses, that are victimized by a data breach.

As confirmed by the Ponemon study, putting systems and procedures in place to improve data security and to respond to breach incidents substantially reduce the impact and negative consequences of a data breach. The stakes couldn't be higher, but taking a proactive approach can significantly mitigate the risks.

White-Collar Criminals 'Outgunning' Law Enforcement

sreisinger@alm.com (Sue Reisinger)

Law enforcement is "outmanned and outgunned" by criminals using the latest technology to commit white-collar crimes, according to attorney Maranda Fritz, a former senior counsel in the Manhattan district attorney's office.

"Individuals can use technology to access and target victims in the U.S., but the government is literally walking away from these cases because [prosecutors] can't figure out how to gather evidence, analyze it, and reach the [perpetrator]," said Fritz, now a partner in the white-collar crimes practice in the New York office of Hinshaw & Culbertson.

The sheer quantity of electronic evidence can be overwhelming for investigators, she said.

Fritz described one fraud case she defended in which the government seized a company's computer hard drives. But the court tossed that evidence and dismissed the case because the government hadn't processed the hard drives upon seizure, as required.

When a member of the U.S. attorney's office was asked later why they hadn't processed the evidence right away, "The guy said simply, ‘We don't have the resources you think we have,' " according to Fritz.

She also said crooks are getting smarter. The prosecutor's evidence of choice used to be email or phone wiretaps, she explained.

"But I no longer see clients using email," Fritz said. "Now they use text messaging or Skyping. The government doesn't have the ability to capture most texting or Skyping."

Clients, she said, have enormous sophistication. "But the government — including the Securities and Exchange Commission — seems clumsy and way behind the curve. They simply don't have the resources to bring in tech-savvy individuals to keep up with what's going on."

Fritz spoke as part of a conference call presented by the firm on Tuesday, discussing trends in white-collar crime and investigations.

Other speakers included:

• Sergio Acosta, a partner in Hinshaw's Chicago office, who talked about the Foreign Corrupt Practices Act. Acosta said that while the U.S. has not formally adopted compliance as an FCPA defense, recent actions by the government have created a "de facto" defense if a company has an efficient compliance program in place. "There are two major components to declination [to prosecute] decisions," Acosta said, "cooperation on the part of the company and the existence of an effective compliance program."

• Lee Smith, also a Hinshaw partner, who discussed the rising trend in internal investigations. "It used to be there would be no written report," Smith said. "But now we see much more transparency and specificity in findings." Also, now reports are often made public in order to gain credibility with the public as well as with prosecutors, he added.

The speakers and the law firm also produce regular updates on their white-collar crime blog.