BakerHostetler has released its second annual data security incident response report, which is based on 300 cases they advised on last year. The report provides some statistics on causes of incidents, which industries were most affected, and what happens after a security incident is detected – from containment, to notification, to regulatory investigations and even lawsuits. A final section in the report provides the eight components of being compromise ready and identifies measures companies should take to minimize the impact of an incident.
Key findings from the report include:
- Cause of incidents: phishing/hacking/malware (31%), employee actions/mistakes (24%), external theft (17%), vendor-related incidents (14%), internal theft (8%), and lost or improper disposal (6%).
- No industry is immune: the healthcare industry (23%) was affected more than any other. Rounding out the top three are financial services (18%) and education (16%).
- Number of individuals notified: for incidents in 2015 where notification was made, the average number of individuals notified was 269,609 and the median was 190,000.
- 52% of the incidents that BakerHostetler helped manage in 2015 were self-detected.
- Detection time – the time from when an incident first began until it was detected – ranged from 0 days to more than 400 days. The average amount of time from incident to discovery for all industries was 69 days, with healthcare taking nearly twice as long as other industries. Average amount of time from discovery to containment was 7 days.
- Notification – the average amount of time from discovery to notification – was 40 days.
- Not all incidents require notification to individuals or the public at large. In about 40% of the incidents that BakerHostetler helped manage in 2015, notification or public disclosure was not necessary.
- Credit monitoring was offered in 53% of the incidents that BakerHostetler advised on in 2015 and the average redemption rate was 10%.
- Regulatory inquiries resulted from 24% of incidents reported, and litigation commenced after 6% of the incidents were made public.
Note that the average time from discovery to notification was 40 days. For HIPAA-covered entities, that may not be a problem, but some states now have notification requirements where a 40-day gap would be problematic.