I see a lot of studies on data breaches in my role at Symantec. Naturally, the recent voluntary report on data breaches from California’s Attorney General piqued my interest. The report describes the 131 notifications her office saw in 2012 and provides recommendations based on those findings. And while it’s not as detailed as some studies from security vendors, the California report is consistent with trends we see nationally and globally. There are many useful nuggets and valuable insights that businesses can take away from this report, so I encourage you to give it a read. You can see the full report here. But, in the meantime, I’d like to offer up what I found to be the most interesting stats and how they compare to broader national and global data breach trends.
Most breaches are not mega-breaches
The report revealed that 2.5 million California residents were affected by data breach incidents in 2012, with the average breach impacting 22,500 people. This mirrors what we found in the 2013 Cost of Data Breach Report examining global data breaches in 2012, where the average number of breached records per incident was 28,765. Interestingly, only five breaches requiring notification to the California Attorney General impacted more than 100,000 people. While “mega-breaches” make for great headlines, they are not common and do not reflect the experience of most businesses that suffer a data breach.
Deliberate intrusions causing more data breaches
It’s not an easy task to compare apples-to-apples when it comes to data breach types because each study classifies breaches differently. But overall we see a growing trend of malicious causes, whether outsiders or insiders. The California report found that more than half of all the reported data breaches (55 percent) were the result of deliberate intrusions by outsiders or unauthorized insiders. The other 45 percent were the result of physical failures (27 percent) related to lost or stolen hardware and procedural failures (18 percent), such as misdirected emails or unintentional web postings.
In the 2013 Cost of Data Breach Study, for the first time, this year’s findings showed malicious or criminal attacks as the most frequently encountered root cause of worldwide data breaches at 41 percent, while 33 percent were caused by employee negligence (a.k.a. human factor) and 26 percent by system glitches. Globally, the percentage of data breaches caused by malicious attacks was a bit lower at 37 percent, but this was still up over years past. And DataLossDB.org, which tracks data breach incidents globally, indicates that 57 percent of data breach incidents recorded last year resulted from hacks.
All of these data sets point to the fact that organizations should not get hung up on one particular threat vector; they need to address each problem in order to fully protect their data.
Organizations still not encrypting data
The most standout finding in the California report is that 1.4 million people would not have had their information put at risk if encryption had been used. That’s more than half of the 2.5 million California residents affected by data breach incidents in 2012. The California report goes on to say that 28 percent of the data breaches would not have even required notification had encryption been used. Encryption transforms the data into a form that is devoid of meaning without use of a confidential process or key, so when that data is protected by encryption it is safe and, in effect, the organization is exempt from reporting a breach.
We’ve frequently discussed why encryption software is one of the most fundamental security measures for protecting personally identifiable information (PII) and valuable intellectual property. This can be full disk encryption to protect information where it is stored or email encryption for information in transit. Yet, many organizations still fail to do so.
In her report, the Attorney General recommends that companies encrypt PII when moving or sending it out of their secure network and she suggests that the California Legislature may want to consider requiring such use of encryption, similar to what is currently required in Massachusetts and Nevada. She also plainly states that her Office will make it an enforcement priority to investigate breaches involving unencrypted personal information. If that isn’t a wake-up call for organizations to use encryption, I don’t know what will be.
Where to go from here
Over the past decade, California has been a leader when it comes to data breaches. In 2003, California was the first state to adopt breach notification laws, spurring 46 other states to follow suit. Perhaps this voluntary data breach report will do the same, and we may see more proactive reports detailing data breaches impacting people worldwide.
We can all learn valuable lessons from this sort of transparency. These are important insights to gain because no matter your size or where your business resides in the world, you should expect enforcement efforts for data breach laws to increase and bear in mind that these laws cross borders. Every organization can benefit from implementing information protection best practices and technologies – encryption in particular – to reduce the risk of data breach incidents.Tags: data breach, data loss prevention, data protection, encryption, security