Cyber insurance is growing in popularity as a means to mitigatethe costs and risks associated with a data breach. Given thegrowing prevalence of data breaches in all industries, companiesare seeking help. Industries with large volumes of high-valuedata—bank accounts and medical records to name a few—areparticularly vulnerable to data breaches. Thieves value big datafor its profit potential—often reselling it to other thieves orusing it for multi-million-dollar healthcare fraud schemes.

InformationWeek recently reported that 419 databreaches were publicly disclosed in 2011 in the U.S., for a totalof 22.9 million records exposed, based on a study from the Identity Theft Resource Center.Privacy RightsClearinghouse reports a larger number; it tracked 535 breachesin 2011 that involved 30.4 million records, including the notoriousSony PlayStation incident. As these varying statisticsprove—and as industry experts point out—it's difficult toaccurately pin down the actual number of breaches; many wentunnoticed by the media, or weren't even reported at all.

Read related: “Carriers Increase Capacity, Competition for Cyber Risk.”

Several trends are contributing to the increased growth in thenumber and complexity of data breaches:

1. Growing dependence on business associates.Gone is the idea of “it's easier to do it myself.” Economicrealities are causing companies to outsource many of theirfunctions, such as billing, to a business associate or third-partyprovider. Unfortunately, the more parties with access to privacydata, the more likely a data breach will occur. We've seen thistrend in healthcare, where growing liability and theextra-sensitive nature of patient health records make data breachesa particularly painful experience. Even if a business associatecauses a data breach, the healthcare provider, as the “data owner,”is accountable for its loss or theft. This is compounded by thelack of trust healthcare organizations place in their businessassociates: 69 percent of healthcare organizations who participatedin a study on patient privacy and data security by the Ponemon Institute say theyhave little or no confidence in their business associates' abilityto secure patient data. In fact, several data breaches in 2011point to errors caused by business associates. Yet it is theprimary data owners that face class-action lawsuits.
2. Taking data to the cloud. To offset computingexpenses, many organizations are outsourcing data processing tothird-party cloud providers. For example, the cloud's applicabilityfor Health Information Exchange (HIE)—a main component of theElectronic Medical Records or Electronic Health Records (EMR/EHR)meaningful use initiatives—could contribute to the strong growth ofcloud computing in healthcare, according to CompTIA. As with businessassociates, cloud computing raises a host of security concerns, aswell as challenges when responding to a breach. A cloud computingprovider may deny access to its data centers during aninvestigation, or prohibit forensics from making a mirror image ofa server—a common forensics method—because it may have multiplecustomers' data on that server. A cloud computing provider maydisclaim liability, leaving an organization to bear the brunt ofthe risk and cost.

Read related: “Get Your Head in the Cloud.”

1. Using personal mobile devices for business,or, bring your own device (BYOD). To save money and to simplifylife for employees who don't want to carry around multiple devices,companies are allowing the use of personal devices to store orprocess corporate privacy data. More than 80 percent of respondentsin the Ponemon study say they use mobile devices that collect,store and/or transmit some form of protected health information(PHI). Yet half of the respondents in the Ponemon study say theydon't do anything to protect these devices. In addition, connectinga device with corporate privacy data to less-than-secure network athome increases the risk of a data breach. And the portable natureof mobile devices makes them all too easy to steal or lose. Manycompanies are developing BYOD policies to enable a certain level ofsecurity, although this puts an employee's own personal data atrisk for exposure.

Economic realities and technological advances have foreverchanged the way companies amass, use, and store their biggestasset—data. The increased dissemination of data to more people inless-secure environments puts that asset at risk for exposure.Smart companies understand that risk, and are taking proactivesteps to protect their data, their customers, and their goodname.

Next week: “Healthcare Data Breaches: Handle withCare.”