In the press release, Schneiderman reported a record 1,300 data breaches were reported to the state’s attorney general’s office in 2016. That represents a 60% increase over the prior year.
Common Breach Trends
Each year in the various annual breach reports we see human error leading the way as the top cause for security incidents. This report shows similar trends.
Hacking – i.e. phishing and malware – caused 40% of the breaches. It’s preached time and again, make sure employees are trained and aware of the latest social engineering threats. But the rising numbers don’t lie. We still click on funny emails, or compelling messages.
Right on its heels, employee negligence takes second place causing 37% of reported breaches. This encompasses the lost laptops, accidental disclosure of records, and insider threats. Again, this highlights the importance of training employees on privacy and data security best practices.
ePlace Solutions makes cyber training courses available to policyholders. The courses touch on several relevant topics: Social Engineering, Threats of a Data Breach, Safeguarding Information, and Data Security Basics.
Reach out to firstname.lastname@example.org to find out if your organization has access to these training courses.
Attorney General Recommendations
Scheiderman included a list of recommendations for organizations to consider. They’re geared toward helping organizations protect sensitive data.
Reviewing the recommendations is a good idea. The Attorney General’s office could use them as a benchmark in the future when evaluating if a company has reasonable security practices in place.
Recommendations from the AG’s office:
- Understand Where Your Business Stands: The first step toward an effective data security policy is to understand what information your business requires for its operation, what data has already been collected and stored, how long the data is needed and what steps have been taken to ensure security. Organizations should review how sensitive data is acquired, how sensitive information is being shared with third parties, and what access controls are in place.
- Identify and Minimize Data Collection Practices: Put simply, data that does not exist cannot be stolen or lost. Collect only information that you need, store it only for the minimum time that you need it, and deploy data minimization tactics wherever possible. For example, if your company uses a point-of-sale system, ensure that expiration dates are not stored with credit card numbers. Reduce the use of highly sensitive data points, such as Social Security numbers, unless absolutely necessary, and minimize the length of retention for such data. Delete any information you no longer need.
- Create an Information Security Plan That Includes Encryption: Creating a comprehensive Information Security Plan is a complex but necessary endeavor. Studies show that entities with an effective plan will articulate not only technical standards, but will incorporate training, awareness, and detailed procedural steps in the event of data breaches. Read more about what a comprehensive security plan should include in the report.
- Implement an Information Security Plan: Successful implementation of a thoughtfully designed plan can be one of the most effective ways to minimize the risk of a data breach. Elements to consider when implementing a plan include ensuring employees are aware of the plan and conducting regular reviews to ensure the plan continues to conform with evolving best practices.
- Take Immediate Action in the Event of a Breach: Remember to investigate all security incidents immediately and thoroughly. In the event of a breach, the law may require you to notify consumers, law enforcement, state Attorney Generals’ offices, credit bureaus and other businesses.
- Offer Mitigation Products in the Event of a Breach: While not required by law, New Yorkers affected by a data breach should be provided with mitigation services for free. These include credit monitoring, which provides alerts, usually by email, whenever an application for new credit is submitted to a consumer credit reporting agency, and a security freeze, which blocks new credit accounts. The cost of clearing up the consequences of identity theft can easily reach into the thousands of dollars and require hundreds of hours attending to administrative burdens.