The Evolution of Data Breach ThreatsA Look at Key Trends for the Year Ahead
The number of data breaches - both experienced and reported - is expected to continue to increase, with new security threats and regulations that push for more transparency on the horizon. For example, the U.S. Government Accountability Office reported that the number of such incidents involving personal data increased to 25,566 last year from 10,481 in 2009.
It's clear that protecting federal agencies from data breaches and cyber-attacks is a priority for the government. A White House working group on big data and privacy is taking steps toward that goal by researching national security and data breaches and providing recommendations to ensure that data is protected.
Tomorrow's data breaches are likely to be global in nature, adding significant complexity to the data breach response process.
To better understand what may lie ahead, we need to look at how concerns about data breaches will evolve over the course of 2014.
Data Breach Cost Will Be Down But Still Impactful.
As more government agencies learn how to identify and respond to security incidents and data breaches, the cost per record in data breaches will continue to decrease. However, security incidents and other breaches still may cause significant network disruption if not properly managed. A key factor for the reduction includes agencies having a strong security posture with incident response plans in place.
Cloud and Big Data = Big International Breaches?
Tomorrow's data breaches are likely to be global in nature, adding significant complexity to the data breach response process. With the rise of the cloud, significant quantities of sensitive data now travel seamlessly across national borders very quickly. Yet, while these data flows are global, the data breach laws and cultural norms for responding to an incident are local. This makes responding to a large breach a significant compliance challenge.
With the European Union expected to pass more stringent regulations, the frequency of reported international data breaches is likely to increase dramatically.
Healthcare Breaches: Opening the Floodgates
Medical identity theft claimed more than 1.8 million U.S. victims before the end of 2013. The healthcare industry is entering a new frontier of security and regulations. The sheer size of the industry, coupled with health insurance exchanges - which are slated to add millions of individuals into the healthcare system - increases its vulnerability and susceptibility to data breaches.
Further, the industry also must comply with the new HIPAA data breach reporting requirements. Over the next year, reported incidents will rise and regulations will force organizations to re-evaluate data management procedures or face hefty fines.
A Surge in Adoption of Cyber-Insurance
The increase in cyber-related data breaches is driving the federal government to think beyond the traditional technology-centric strategy. Many companies in the private sector already are looking beyond just investing in technology to protect against attacks and are moving toward the insurance market to manage financial ramifications of breaches. While there are a growing variety of coverage options for companies, the federal market still is in its infancy.
Not only does cyber-insurance provide a financial remedy, but the process of evaluating coverage helps many companies improve their security posture and preparedness as well. With the insurance industry evolving at breakneck speed, cyber-insurance will start to become a must-have, and the government should look to this option for agencies.
Breach Fatigue: Rise in Consumer Fraud?
Each day there are security incidents that go unreported, but as laws change and awareness grows, more breaches are likely to be made public. As the number of reported breaches in the media increases and the frequency of notifications that consumers receive grows, the public may become apathetic toward the subject. This fatigue could lead to significantly more harm by causing fewer consumers to take action to protect themselves after an incident, thereby exposing themselves to greater risk. To help fight fatigue and encourage action, notifications need to be clear and understandable.
Beyond the Regulatory Check Box
This year, state regulators and law enforcement will devote significant attention to helping organizations better manage breaches. This includes expanded enforcement action as well as opportunities to share best practices in helping to prevent incidents and protect individuals. While a national data breach law isn't likely to be passed this year, expect one by the end of the decade.
Looking ahead, it's imperative that the federal government and its organizations understand the evolving data breach environment and ensure that their response plans are enhanced continuously to address emerging issues.
Michael Bruemmer, CIPP/US, is vice president, Experian Data Breach Resolution, at Experian Consumer Services.