Data Breaches: Facts and Fiction

Data Breaches: Facts and Fiction

Did you know that over 1 in 4 companies face a chance of having a material data breach in the next two years? Ponemon Institute confirmed this in their study sponsored by IBM. Did you also know that 47% of firms learn about of a breach to their personal information (PI) from a notification by an external party? They are usually notified by the FBI or Secret Service that either the company’s or employee’s data has been breached according to FireEye security company’s M Trend 2017 Report “Trends from the Year’s Breaches and Cyber Attacks.”

Top of mind at all times for us at TRICOM is security. By the nature of our business – financing, processing payroll, paying client taxes, etc. – we deal with personal information every single day. Ensuring that the information we have is secure is a top priority.

That’s why we found this year’s session at the ASA Staffing Law Conference on Avoiding a Data Breach: Legalities of Electronic Recordkeeping presented by Cynthia Larose, Esq., member, Mintz Levin Cohn Ferris Glovsky & Popeo PC, to be especially critical. Think you’re safe from the threat of a data breach because of the size of your company or because you have a firewall? Think again.

Cynthia identified the top five misconceptions of data breaches:

  1. “I’m too small for hackers to bother with.”
  2. “We have firewalls – our people say we’re ok.”
  3. “We would catch it quickly.”
  4. “We don’t collect credit cards so it doesn’t affect us.”
  5. “It wouldn’t affect our business.”

These misconceptions are wrong for so many reasons. No target is too small for hackers – if there’s personal information to be gained, that’s a target. Firewalls can be overcome – even as simply as someone in your office unsuspectingly clicking on an email attachment. Plus, there’s no guarantee that a breach would be caught quickly – or caught before damage was done. Even if you don’t collect credit cards, you have a host of employee information such as social security numbers, addresses, banking information, spousal information, and insurance data. All of this can be used for identity theft, a costly and widespread crime. Any type of data breach can impact your business – bad press reflects poorly on your brand. As Cynthia stressed in her presentation: DON’T BECOME A HEADLINE.

What is a Data Breach?
A data breach is unauthorized access to or acquisition of personal information. This can include loss or theft of personal property that contains personal information such as a package or laptop.

State laws differ on the definition of personal information and what constitutes a security breach.

Cynthia points out that state laws also differ on other key aspects of data breaches including:

  • Encryption “safe harbors” (exemption from notifications if the compromised data is encrypted and the key is not compromised)
  • Notification to state agencies
  • “Likelihood of harm” threshold
  • Timing and content of individual notifications

Most states apply the definition of a “data breach” to computerized data only, but some include paper. These states are Alaska, Iowa, Washington, Hawaii, Massachusetts, Wisconsin, Indiana, and North Carolina. Some states also have prescribed verbiage that must be used. Florida has the tightest laws related to data breaches.

It’s important to note that which law applies is determined by the state where the employee/affected individual resides – NOT the state where the company is located. 48 states have data breach notification laws and they can vary significantly by state. You must notify the individual of a breach, and you may also be required to notify the attorney general of that state.

Data Breach Breakdown
Data breaches can be costly headaches – and no one is completely immune.  

As we mentioned earlier, according to security company FireEye, companies face a 26% chance of having a material breach in the next two years. They also found that externally discovered breaches went undetected for an average of 109 days.

According to a Verizon 2016 Data Breach Investigation Report, internal incidents account for 1 in 5 successful breaches. They also reported that there were 10,489 incidents of “insider and privilege misuse” last year, such as when an employee takes a file home to work on his or her own system and a breach occurs. Boeing discovered a data breach in January 2017 of personal information for 36,000 employees when an employee emailed a document to a spouse for formatting help. The employee didn’t realize the document contained sensitive information.

The Verizon report also indicated that 63% of confirmed data breaches involve weak, default, or stolen passwords. They warned that social media passwords should not be the same as your company network system passwords. The Verizon report concludes that NO locale, industry, or organization is invulnerable when it comes to data breaches.

And these breaches can be costly: IBM Security conducted a Cost of Data Breach Study and found that the average total cost of a data breach was $221 per record in 2016.

Legal Responsibility for Data Breaches
Cynthia noted that under most state laws, the entity that owns, licenses, maintains, or stores data that includes personal information of a resident of that state is responsible for the security of that data.

If an entity that “maintains or stores personal information” experiences a breach (in most cases this can include cloud providers, data centers, and suppliers providing services such as payroll), they are legally responsible for notifying the owner of the data only, and the owner of the data is responsible for notifying all impacted (statutory notice). As a staffing company owner, the owner of the data is YOU, and it is your obligation to provide statutory notice if a breach occurs.

One important way to ward of a data breach is to use encryption when sending files that contain personal information. While encrypting files may seem like a nuisance and a waste of time, it can save you a great deal of headaches and expense if you’re ever the target of a data breach. It’s also important to ensure you’re sending files to the correct person, and that the files are always encrypted. As we mentioned earlier, if encrypted files are compromised, but the key is not, it may be considered a “safe haven” where you are not required to send notifications of a data breach.

As personal information is increasingly transferred electronically, the chances of data breaches loom larger and larger. It’s important to remain diligent about your data security for your own peace of mind, and that of your employees and customers.

Next month, we’ll continue our focus on cyber security with an article on W2 phishing, and an Industry Insider webinar that looks at Ghost Employees and Paycard Theft Best Practices.

Verizon 2016 Data Breach Investigation Report:

Mintz Matrix of State Data Breach Notification Laws: