What's Driving the Rise in Data Breaches?

Cyber insurance is growing in popularity as a means to mitigate the costs and risks associated with a data breach. Given the growing prevalence of data breaches in all industries, companies are seeking help. Industries with large volumes of high-value data—bank accounts and medical records to name a few—are particularly vulnerable to data breaches. Thieves value big data for its profit potential—often reselling it to other thieves or using it for multi-million-dollar healthcare fraud schemes.

InformationWeek recently reported that 419 data breaches were publicly disclosed in 2011 in the U.S., for a total of 22.9 million records exposed, based on a study from the Identity Theft Resource Center. Privacy Rights Clearinghouse reports a larger number; it tracked 535 breaches in 2011 that involved 30.4 million records, including the notorious Sony PlayStation incident. As these varying statistics prove—and as industry experts point out—it’s difficult to accurately pin down the actual number of breaches; many went unnoticed by the media, or weren’t even reported at all.

Read related: "Carriers Increase Capacity, Competition for Cyber Risk."

Several trends are contributing to the increased growth in the number and complexity of data breaches:

  1. Growing dependence on business associates. Gone is the idea of “it’s easier to do it myself.” Economic realities are causing companies to outsource many of their functions, such as billing, to a business associate or third-party provider. Unfortunately, the more parties with access to privacy data, the more likely a data breach will occur. We’ve seen this trend in healthcare, where growing liability and the extra-sensitive nature of patient health records make data breaches a particularly painful experience. Even if a business associate causes a data breach, the healthcare provider, as the “data owner,” is accountable for its loss or theft. This is compounded by the lack of trust healthcare organizations place in their business associates: 69 percent of healthcare organizations who participated in a study on patient privacy and data security by the Ponemon Institute say they have little or no confidence in their business associates’ ability to secure patient data. In fact, several data breaches in 2011 point to errors caused by business associates. Yet it is the primary data owners that face class-action lawsuits.
  2. Taking data to the cloud. To offset computing expenses, many organizations are outsourcing data processing to third-party cloud providers. For example, the cloud’s applicability for Health Information Exchange (HIE)—a main component of the Electronic Medical Records or Electronic Health Records (EMR/EHR) meaningful use initiatives—could contribute to the strong growth of cloud computing in healthcare, according to CompTIA. As with business associates, cloud computing raises a host of security concerns, as well as challenges when responding to a breach. A cloud computing provider may deny access to its data centers during an investigation, or prohibit forensics from making a mirror image of a server—a common forensics method—because it may have multiple customers’ data on that server. A cloud computing provider may disclaim liability, leaving an organization to bear the brunt of the risk and cost.

Read related: "Get Your Head in the Cloud."

  1. Using personal mobile devices for business, or, bring your own device (BYOD). To save money and to simplify life for employees who don’t want to carry around multiple devices, companies are allowing the use of personal devices to store or process corporate privacy data. More than 80 percent of respondents in the Ponemon study say they use mobile devices that collect, store and/or transmit some form of protected health information (PHI). Yet half of the respondents in the Ponemon study say they don’t do anything to protect these devices. In addition, connecting a device with corporate privacy data to less-than-secure network at home increases the risk of a data breach. And the portable nature of mobile devices makes them all too easy to steal or lose. Many companies are developing BYOD policies to enable a certain level of security, although this puts an employee’s own personal data at risk for exposure.

Economic realities and technological advances have forever changed the way companies amass, use, and store their biggest asset—data. The increased dissemination of data to more people in less-secure environments puts that asset at risk for exposure. Smart companies understand that risk, and are taking proactive steps to protect their data, their customers, and their good name.


Next week: "Healthcare Data Breaches: Handle with Care."




Page 2 of 2
About the Author
Rick Kam, CIPP

Rick Kam, CIPP

Rick Kam, CIPP, is president and co-founder of ID Experts, a Portland, Ore.-based provider of comprehensive data breach solutions. He is an expert in privacy and information security, with extensive experience leading organizations to address the growing problem of protecting PHI/PII and remediating privacy incidents, identity theft, and medical identity theft. He is also chairing the “PHI Project,” a seminal research effort to measure financial risk and implications of data breach in healthcare, led by the American National Standards Institute (ANSI), via its Identity Theft Prevention and Identity Management Standards Panel (IDSP), in partnership with the Shared Assessments Program and the Internet Security Alliance (ISA).  

About the Author
Jeremy Henley, CHPC

Jeremy Henley, CHPC

Jeremy Henley is an insurance solutions manager for ID Experts, a Portland, Ore.-based provider of comprehensive data breach solutions. He is certified by the Healthcare Compliance Association for Healthcare Privacy and Compliance and has 11 years of sales and leadership experience. He regularly speaks at national conferences on the topics of privacy and security preparedness and data breach response and best practices.  


Resource Center

View All »

Increase Sales Conversion with this Complimentary White Paper

This whitepaper will share proven techniques - used by many of the industry's top producers...

D&O Policy Definitions: Don't Overlook These Critical Terms

Unlike other forms of insurance where standard policy language prevails, with D&O policies, even seemingly...

Environmental Risk: Lessons Learned from Willy Wonka and the Chocolate...

Whether it’s a chocolate factory or an industrial wastewater treatment facility, cleanup and impacts to...

More Data, Earlier: The Value of Incorporating Data and Analytics...

Incorporating more data earlier in claims lifecycles can help you reduce severity payments by 25%*...

How Many Of Your Clients Are At Risk Of Flood?

Every home is vulnerable to flooding. Learn four compelling reasons why discussing flood insurance with...

Gauging your Business Intelligence Analytics Capabilities and the Impact of...

Big Data, Data Lakes and Data Swamps, How to gauge your company's Big Data readiness....

Extending Contact Center Capabilities Across the Insurance Enterprise

Today advancements in technology are making a big impact on business and society. To yield...

Drug and Alcohol Testing Requirements

In this two-part series, NBIS Risk Management team will break down the requirements to assist...

Why Cyber Liability is Essential for Human Service Organizations

For traditional low-tech operations, information is often compromised in ways that don't involve technology. Access...

A Solution for Large Commercial Habitational Accounts

6 Reasons to place your LARGE Habitational Accounts with Dauntless.

Tech Digest eNewsletter

Technology related insights for insurance professionals including key developments, solution providers and news briefs from the carrier front – FREE. Sign Up Now!

Advertisement. Closing in 15 seconds.