The Risks & Impact of the Explosive Growth in Data Breaches, Plus How to Protect Your Company & Your Employees
View this Content Online as a Short Article on Portland Business Journal
Webinar Video & PowerPoint Slide
The number of data breaches is at an all‑time high. It’s increased 40% year over year over the last two years and this problem isn’t going away. In fact, it has become more serious. Literally, last year over 1,000 breaches were reported in the news. This translates to roughly three major (reported) breaches that create significant harm to people in the US and around the world every day. You’ve probably been personally affected by the recent Equifax breach, if not one of the other hacks that we’ve been hearing so much about. Data breaches touch everyone!
While you may think that identity theft isn’t all that pervasive, it is in fact incredibly common.
When our data is breached, we are roughly three to four times more likely to fall victim to identity theft than someone who’s not had their data breached. Unfortunately, due to the Equifax breach, roughly one in two employees in the US have been compromised. If you pool your employees on whether they’ve been affected, you’ll find roughly half of them have been affected by this problem. 15.4 million people fell victim to identity theft last year alone, which was a 16% increase over the prior year, and this is approximately 10% of your workforce!
Here’s the story by the numbers on business cyber-attacks:
- 55% of small business owners experienced a cyber‑attack in the past 12 months. Smaller firms may not have the same security as the larger firms, so they too are vulnerable to an attack.
- Only 14% of the companies rate their ability to mitigate a cyber‑attack as highly effective. Let’s face it, we’re all aware that we could do more.
- 47% of data breaches are caused by malicious or criminal attack.
- Accidental release of private data by an employee accounted for 25% of data breaches in 2016, while IT glitches and other process failures were the cause 28% of the time.
Companies are liable for failing to protect their employees’, customers’ and business partners’ confidential information.
Looking back10-15 years, identity theft was primarily committed by people who were taking convenience checks out of recycling bins, stealing mail out of residential mailboxes, and people’s cars. Around 2005 identity theft started to change when organized crime got involved, and we started to see explosive growth of data breaches. Then in 2015, we experienced one of the largest shifts in terms of threat vectors, when nation‑states started to get involved in stealing personal information. Unfortunately, over the last two to three years nation‑states have become the main perpetrators of numerous cybercrime activity, including a variety of cyber‑attacks around our elections, specifically China and Russia, as well as Syria, Iran, and North Korea.
In one of the most recent breaches that hit Equifax, 145.5 million credit records were stolen, allegedly by the Chinese Government. One might wonder what’s going on? The crux is that electronic information stored around our credentials creates access not only to our financial information, but to literally everything we value. Whether it’s our financial accounts, health savings accounts, or access to various Websites to protect our pets, cars, and homes. Everything is secured through our identity and our credentials.
Where does our stolen identity data go? There’s a digital location called the Dark Web, which is used by organized crime and nation‑states to essentially search and exchange information.
Social Security number theft is one of the growing problems that is pervasive at the beginning of the year. Literally, millions of fraudulent tax returns are submitted on behalf of US citizens by fraudsters to the tune of roughly $21 billion of losses out of the IRS system. You won’t receive a tax refund when this happens to you as a victim. When you submit your tax return through the IRS, they’ll inform you that you have already submitted a return. Once you identify that this was identity theft, the IRS will try to recover the problem, but it may take a period of time.
Sadly, out of the nine forms of identity theft, one of the more targeted populations is children’s identity and Social Security numbers, which account for 30% of all identity theft. Identity thieves have a full 18 years to use these Social Security numbers without being caught since their Social Security numbers are not typically used until they go to college or rent an apartment. How to reduce the risk of identity theft and determine whether it’s happened to you.
What are they doing with our health data? According to Rick Kam, President and Founder of ID Experts, “It turns out medical identity theft is a contributing factor to the opioid problem in the US. The perpetrators are using our health identities to get access to opioids from multitudes of pharmacies, (plus illegal and other prescription drugs), and then selling them on the Dark Web.” The other problem involves selling our health identities to people who need health insurance. For example, one woman’s health identity was used by another woman to give birth in a hospital. The victim found out when she was called by the child protective services to report her newborn daughter had tested positive for methamphetamine. See her story on YouTube: https://youtu.be/MQjocgRfuNE.
Unfortunately, medical identity theft has a horrible side effect of potentially being a risk to health and safety. Additionally, medical ID theft is the costliest and it can take months or more to clean it up. The average victim takes at least a few days off work to deal with this problem. Between 3-10% of the total revenue from US healthcare services is identified by the FBI as medical fraud, which equates to $70 – $200 billion of losses based on 2015 revenues. The problem with the common patient is that their medical record will start to reflect someone else’s medical data. Just imagine going to the emergency room when you’re not coherent. The doctors will rely on your electronic medical records to give you a transfusion, to medicate you, and so forth.
What is your company’s risk of attack?
Start by assessing the types of data you store that are at risk. Do you…
- Store physical or electronic employee personal records?
- Have a transactional Website?
- Use third-party vendors, such as cloud and IT services?
- Have a self‑funded health plan?
- Accept online payments?
- Store your customers’ corporate confidential information?
- Allow your employees to use personal devices to connect to your network?
NOTE: Some of the largest claims we’ve seen in the Northwest have resulted from lost laptops and the data available on them. Many data breaches involve an employee mistake, so it’s important to train your employees on proper email use and other privacy issues.
Quantifying the costs of data breaches & loss of business– Unfortunately, there are a lot of costs from exposure. These are just a few of the major costs:
- Forensic examination to determine scope
- Notification of affected customers and other parties
- Call center payments to handle customer questions
- Credit or identity monitoring
- Public relations
- Legal defense
- Regulatory penalties or proceedings
- Time element losses and loss or damage to data/property
- Liability for denial of service from or access to data
Forensic examination to determine the scope is one of the most important insurance coverages to have. The total expense associated with determining why the breach took place, especially in a complex organization, can be difficult to assess. The breach could have been taking place for six to twelve months.
How much cyber liability insurance is enough? The chance of cyber‑threat differs among industries. For example, healthcare has a different exposure per record than retail. It’s hard to predict how high the actual costs could go. However, as an initial starting point to determine the coverage limit you need, you simply multiply your industry’s average cost per record of a data breach by the number of records at risk.
Another good alternative is to look at the cyber insurance application provided by insurers, which will force you to go through the various aspects of cyber coverage, and where you may need protection. Insurers use your answers in the application to assess your overall cyber risk by calculating your threat, business impact, and control effectiveness landscapes.
Remember as you’re evaluating your own exposure to account for your business interruption exposure.
While the average direct cost of data breaches is high, the cost of lost business can be higher– More than 4.1 million on average. These costs include:
- Abnormal customer turnover
- Increased customer acquisition costs
- Reputation loss
- Negative publicity
- Diminished goodwill
Furthermore, there are 48 states that require notification of data breaches. One of the complicated components of a data breach is navigating the varied requirements not only by your state but also all the states where your customers are located. Fortunately, this is one of the things that insurance coverage can be helpful with.
To help minimize the impact of data breach losses on your organization when (not if) they occur, there are both financial and tangible losses that your organization can be protected against. Financial insurance coverage can range from cyber-event management and privacy extortion costs to business interruption losses. Tangible insurance coverages include property damage and bodily injury, as well as soon-to-come third-party coverage. For greater details on coverages & actual claim examples, visit www.data-breach-coverage.com.
Risk and prevention consultation is perhaps the most important thing you receive from an insurance company before a breach. You can also receive IT consultancy during and after a cyber-breach. Additionally, to help minimize the impact on your employees, you can offer ID protection as an employee benefit from companies such as the Oregon based IDExperts who has developed an innovative app that protects from both financial and medical identity risks. They also provide pre and post-breach services for your organization.
For additional information, please visit: Data breach insurance coverage or contact us.
Author: Craig Pankow, Managing Director, Commercial Insurance Division
Physicians & Medical Clinics:
Austin Early, Physicians Advisory Services Commercial Insurance
Contact: communications@tpgrp.com / 800-722-6339