Complacency in the Face of Evolving Cybersecurity Norms is Hazardous
Cyber Review_April 2015
1. Data Breach Incidents – A Risk Mitigation Snapshot │ April 2015 1
Data Breach Incidents
A Risk Mitigation Snapshot: 2014 into 2015
Contributing Authors: Jessica Flinn, James Sheehan, William J. McDonough
If not already on the enterprise risk radar screen, cyber risks are quickly becoming a central issue for the C-suite
and board members in a variety of industries. Today, mitigating cyber risk is a concern for a wide range of
organizations. The scale and impact of breach incidents, coupled with the vulnerability of various organizations
to such attacks, threaten businesses across all sectors. As cyber threats evolve, the network security and
privacy liability insurance market tries to keep pace. Here, we will briefly consider how issues encountered in
2014 may influence market realities in 2015.
For discussion purposes, we will treat data breaches as incidents in which an individual’s social security
number, driver’s license number, medical record or financial record (e.g., account number, credit or credit card
number) has been acquired either unlawfully or without authorization.
The Frequency and Severity of Breaches
Unfortunately, 2014 was a year in which we witnessed U.S. data breaches reach record levels. It was also the
year when U.S. data breach incidents surpassed 5,000 with more than an estimated 675 million records
implicated.1
It is also important to note that many data breach incidents go unreported as organizations do not
want to incur the expense of notifying affected individuals or suffer the reputational harm resulting from a
release or breach.2
On an industry basis, healthcare again topped the Identity Theft Resource Centers 2014 Breach List with 42.5
percent of the breaches identified in 2014. The general business sector ranked second with 33.0 percent of the
data breach incidents, followed by the Government/Military sector at 11.7 percent, the Education sector at 7.3
percent and Banking/Credit/Financial at 5.5 percent.3
Among the larger breaches: Sony had 47,000 records stolen; J.P. Morgan had 83 million records stolen
(affecting 76 million households and 7 million small businesses); Home Depot had 100 million records stolen
(implicating 56 million credit cards and 53 million email addresses); and the eBay breach is estimated to involve
the email addresses, physical addresses and login credentials of up to 145 million users.4
1
Identity Theft Resource Center (2015, January 12). Identity Theft Resource Center Breach Report Hits record High in 2014. Retrieved
February 16, 2015, from http://www.idtheftcenter.org/ITRC-Surveys-Studies/2014databreaches.html
2
Ibid., 1.
3 Ibid., 2.
4 Collins, K. (2014, December 12). A Quick Guide to the Worst Corporate Hack Attacks of 2014. Retrieved January 21, 2015, from
http://www.bloomberg.com/graphics/2014-data-breaches/
2. Data Breach Incidents – A Risk Mitigation Snapshot │ April 2015 2
According to Ponemon Institute’s “2014 Cost of Data Breach Study: Global Analysis,” U.S. companies rank first
in the cost per compromised record of $201 per record (Figure 1) and have the largest number of exposed
records per breach (Figure 2). The news for U.S. companies deteriorates further as the report detailed the
average total cost of a data breach increased 15% and the average per record cost increased more than 9%.5
The retail and healthcare sectors saw the largest increases in compromised systems at 5% and 4%,
respectively.6
Figure 1. The average per capita cost of data breach over two years
(Measured in US$)
5
Ponemon Institute. (2014, May 1). 2014 Cost of Data Breach Study: Global Analysis. Retrieved January 21, 2015, from http://www-
935.ibm.com/services/multimedia/SEL03027USEN_Poneman_2014_Cost_of_Data_Breach_Study.pdf
6
Maginot Revisited: More Real-World Results from Real-World Tests. (2015, January 1). Retrieved January 21, 2015, from
https://www2.fireeye.com/rs/fireye/images/rpt-maginot-revisited.pdf
3. Data Breach Incidents – A Risk Mitigation Snapshot │ April 2015 3
Figure 2. The average number of breached records by country
Shown below are the number of exposed or compromised records for organizations in the ten countries represented in this
research. Organizations in the U.S., the Arabian region and India had the largest average number of records lost or stolen.
The Cost of Compromised Security to U.S. Companies
It is clear that the frequency and severity of data breach incidents have caused U.S. companies considerable
consternation in 2014 (see Figure 4 – 2014 Cyber Fast Facts). Of additional concern is the regulatory framework
that allows multiple agencies to assess fines and penalties when data has been released. Increased
participation by regulatory agencies necessarily results in increased costs attributed to a release. The Federal
Communications Commission’s (FCC) entry into the arena illustrates how a regulators involvement can
significantly increase the total cost of a release. Recently, the FCC proposed fines of $10 million to two
companies for alleged data security breaches. The Office for Civil Rights (OCR) issued seven resolution
agreements in 2014 as a result of HIPAA related privacy issues. The fines ranged between $150,000 and $4.8
million. Such fines are in addition to those often levied by state attorneys general.
4. Data Breach Incidents – A Risk Mitigation Snapshot │ April 2015 4
Figure 3. 2014 Cyber Fast Facts
New Tactics
It’s Not All About Data Anymore
No longer are cyber intrusions limited to searches for personally identifiable information and protected health
information (PHI). There were several hacking incidents in 2014 that demonstrated how incursions into a
company’s network could have direct repercussions in the operations of an organization with worldwide
implications. Take, for instance, the attack on Sony. Aside from Sony’s data, the hackers took actions that
rendered the company’s entire computer network and landline phones unusable. In a separate cyber intrusion,
hackers gained access to a German iron plant’s blast furnace, and disrupted the plant’s production capabilities.
These incidents go beyond cyber extortion and illustrate how intrusions into a company’s computer network can
result in more than the soft expense associated with notification, data re-creation, remediation, etc. Hackers
have now realized their ability to disrupt a businesses’ delivery of its core services. This disruption has real world
tangible consequences and manifests itself in loss of business and future opportunities.7
Card Issuers as Victims
In 2014 we witnessed the emergence of a new plaintiff’s class. The class consists of credit and debit card issuers
who incur considerable expense in issuing replacement cards and refunding monies to customers as a result of a
data breach. Take, for example, the Target case wherein the card issuers survived dismissal of their claims for
out-of-pocket costs. Essentially, the court found that the card issuers furnished a plausible argument that Target
was responsible for damages (i.e., the expense associated with the issuance of replacement cards) caused by the
7
King, R. (2014, December 18). Cyberattack on German Iron Plant Causes 'Widespread Damage' Retrieved January 21, 2015, from
http://blogs.wsj.com/digits/2014/12/18/cyberattack-on-german-iron-plant-causes-widespread-damage-report/?mod=ST1
5. Data Breach Incidents – A Risk Mitigation Snapshot │ April 2015 5
hackers intrusion into Target’s network. The court’s finding was somewhat novel, in that, there did not exist a
contractual relationship between Target and the card issuers. Allegations of negligence, it seems, may carry the
day for banks and card issuers looking to recoup their costs from businesses who suffered an attack.
Plaintiff’s Bar Moving the Ball
The Target breach has also led to inroads for consumer plaintiffs’ pursuit of class action status. Previously, the
plaintiffs’ bar has had difficulty surviving motions to dismiss due to an inability to satisfy the damages element of
a negligence claim. Causes of action sounded in negligence require plaintiffs to allege actual or imminent injury.
To date, plaintiff’s bar has been unable to show that parties affected by a release of data, on its own, have
suffered damages or are in imminent risk of injury. However, the Court in the Target case appears more
receptive to this type of class action litigation at the motion to dismiss stage of litigation. Specifically, the Court
refused an individualized assessment of standing, instead concluding the requirement was met because some
plaintiffs alleged injuries of “unlawful charges, restricted or blocked access to bank accounts, inability to pay
other bills, and late payment charges or new card fees.”8
This may significantly increase defense costs in the pre-
class certification stage as additional resources will be deployed in the discovery phase.
The Target court is not alone in moving the plaintiff’s bar closer to class certification. A recent California federal
district court found plaintiffs have standing to sue based on increased risk of future harm due to the alleged
release of their personally identifiable information. It should be noted that this ruling is contrary to the more
accepted line of reasoning, which finds that the increased risk of identity theft does not satisfy the concrete or
imminent injury requirement for standing.
What Lies Ahead
The era of the data breach is upon us and it is unlikely to recede. A new global standard for credit card security,
commonly referred to as ‘chip and pin’ technology, may help insulate consumers from credit card fraud;
however, hackers have turned their sights to the more lucrative fraud of identity theft. The misappropriation of
an individual’s identity, either by the procurement of personally identifiable information or protected health
information, will allow the hacker to command a significantly higher per record payment then credit card
data alone.
Personal Data Notification & Protection Act
President Obama has proposed new legislation that would create a single country-wide data breach
notification standard. The Act, as proposed, “clarifies and strengthens the obligations companies have to notify
customers when their personal information has been exposed, including establishing a 30-day notification
requirement from the discovery of a breach, while providing companies with the certainty of a single, national
standard.”9
If passed, this Act will replace the current patchwork of notification requirements implemented by
various governmental agencies and the individual states.
8
In re Target Corp. Customer Data Security Breach Litig., MDL No. 14-2522 (PAM/JJK) (D. Minn. Dec. 18, 2014).
9
FACT SHEET: Safeguarding American Consumers & Families. (2015, January 12). Retrieved January 21, 2015, from
http://www.whitehouse.gov/the-press-office/2015/01/12/fact-sheet-safeguarding-american-consumers-families
6. Data Breach Incidents – A Risk Mitigation Snapshot │ April 2015 6
The Healthcare Industry Will Likely Retain First Place
It comes as no surprise that the healthcare industry will remain squarely in hackers’ sights. The personal
information contained in health records will enable hackers to perpetrate a multitude of different follow-up
attacks and various types of fraud, including financial exploitation and identity fraud. The FBI has warned the
healthcare industry that its attempts at cyber security remain woefully insufficient.10
As noted, in 2014 healthcare organizations accounted for about 42 percent of all major data breaches reported,
according to the Identity Theft Resource Center.11
A Ponemon study estimates that the potential cost of
healthcare industry breaches will reach $5.6 billion annually.12
Not surprisingly, it is expected that healthcare
breaches will increase as we continue a move towards electronic medical records and growing usage of mobile
and wearable technologies (Figure 4).
Figure 4. Preparing for the Risks of Mobile and Wearable Technology13
10
Weisman, S. (2014, December 20). Cyber predictions for 2015. Retrieved January 21, 2015, from
http://www.usatoday.com/story/money/personalfinance/2014/12/20/cyber-hack-data-breach/20601043/
11
2014 Was Landmark Year for Health Data Breaches. (n.d.). Retrieved December 26, 2014, from
http://www.healthdatamanagement.com/news/2014-Landmark-Year-for-Health-Data-Breaches-49505-1.html
12
Ponemon Institute. (2014, May 1). 2014 Cost of Data Breach Study: Global Analysis.
Retrieved January 21, 2015, from http://www-
935.ibm.com/services/multimedia/SEL03027USEN_Poneman_2014_Cost_of_Data_Breach_Study.pdf
13
The Global State of Information Security Survey, 2015.
M O B I L E S E C U R I T Y S T R A T E G Y
M O B I L E D E VI C E M A N A G E M E N T S O F T W A R E
B A N O F U S E R O W N E D D E V I C E S
C O R P O R A T E E M A I L A N D C A L E N D A R …
S T R O N G D E V I C E A U T H E N T I F I C A T I O N
D E V I C E E N C R Y P T I O N
U S E O F G E O - L O C A T I O N , G E O - F E N C I N G …
I N T E R N A L A P P S T O R E
53.96
46.94
35.13
38.89
39.07
39.72
22.64
24.47
MOBILE TECHNOLOGY RISK PREVENTION
INITIATIVES - ALL INDUSTRIES
Percent of All Respondents
7. Data Breach Incidents – A Risk Mitigation Snapshot │ April 2015 7
Corporate IP and Trade Secrets Are Valuable
The Sony hack sent shivers through every R&D department in the digital universe. Hackers not only exposed
personal information and embarrassing internal communications, but also Sony’s valuable intellectual property
in the form of scripts, profits and budget projections. The intellectual property and trade secrets cultivated by
companies appears fair game for hackers interested in extortion. 14
Figure 5 – How Breaches Occur15
Note: Although preventable errors are often to blame for security incidents, it was impossible to identify the
culprit in nearly 20 percent of the cases reviewed in the IBM Annual Report.
Policy Implications
The marketplace for cyber security and privacy liability insurance remains in its infancy and is struggling
towards maturation. The standardization of coverage terms and claims handling are a distant dream. Policy
terms and conditions differ from form to form, and market developments routinely result in mid-term
revisions. Typically, policies contain a number of insuring clauses that speak to coverage for breach response
costs and claims resulting from a cyber event. The forms may also provide coverage for extortion, network
damage, public relations and crisis management, website media content and regulatory investigation costs
arising out of a cyber event, as well as business interruption losses. Although provided, the sub-limits placed
on these ancillary coverages likely leave many companies substantially exposed.
Regulatory sub-limits placed on policies create a lack of meaningful coverage for many insureds, particularly in
14
Troutman Sanders LLP. (2014, December 19). 5 Reasons Sony Pictures Will Be a Cybersecurity Inflection Point. Retrieved January 21,
2015, from
http://www.informationintersection.com/2014/12/5-reasons-sony-pictures-will-be-a-cybersecurity-inflection-
point/?utm_source=Mondaq&utm_medium=syndication&utm_campaign=View-
15
IBM Security Services Cyber Security Intelligence Index Report, 2014
Misconfigured System
42%
End User Error
31%
Undetermined
15%
Vulnerable Code
6%
Targeted Attack
6%
CAUSE OF BREACH
8. Data Breach Incidents – A Risk Mitigation Snapshot │ April 2015 8
the financial services and healthcare industries. With more regulators taking interest in cyber issues and data
breaches implicating multiple states’ statutes, it is anticipated that regulatory fines will continue to expand.
This will likely require insureds to make payments out-of-pocket for a portion of the regulatory fines,
particularly if more than one breach occurs in any given policy period.
In other instances the cyber policy may not provide coverage at all. For example, as evidenced by attacks on
Sony and J.P. Morgan, companies are vulnerable to hacking by nation states, criminal organizations or
terrorists. Many cyber policies have specific exclusions for acts of terrorism or acts of a nation state. Insureds
will need to keep a careful eye on the breadth of any such exclusion on their cyber policies.
Additionally, physical damage sustained by an insured as a result of a cyber-attack will likely be precluded from
coverage. Property insurers have been making it increasingly clear that they do not intend to provide insurance
for anything in the cyber realm. At this time, cyber insurance carriers have not shown an inclination to expand
coverage for this type of exposure. However, to ensure robust coverage, the insurance market will need to
adapt and create insuring clauses specifically geared towards addressing physical damage resulting from a
cyber incident.
Loss associated with an insured’s own intellectual property creates another vacuum in coverage. Today’s cyber
policies may provide coverage for the intellectual property of others, but do not extend to include first party
coverage. For instance, the loss Sony experienced relating to stolen screenplays and other valuable internal
intellectual property would not be covered under the typical cyber policy. Perhaps, with time, cyber insurers
can be convinced to add such coverage.
Concluding Thoughts
The cyber insurance market is in a constant state of fluidity. Carriers have been altering their policies to include
loss prevention and risk mitigation tools, from breach response teams to risk analytics. As cyber incidents
increase in frequency and severity, and evolve to keep pace with technological advances, the insurance
industry will need to create new forms of cyber coverage to meet the needs of their clients. As we wait for the
market to catch-up, your insurance broker may be able to help with other suggestions to increase the breadth
of coverage by, for example, minimizing any state actor, contractual liability or bodily injury exclusions,
expanding the definition of computer network and backdating the prior acts date as far as possible.
Companies can also use collaboration to protect themselves. Information sharing platforms such as the
Information Sharing and Analysis Centers (ISACs), industry associations, and government agencies are valuable
risk-awareness tools. Sharing information should help companies improve their incident response through
trusted collaboration, analysis, coordination, and drive decision-making by policy makers on cybersecurity,
incident response, and risk mitigation and financing for breaches.