Data breach risk is the product of two trends: the proliferation of data exchanged within and between organizations. Much of this is personally identifiable information, which can give rise to identity theft or other forms of financial or reputational harm.
Expect the unexpected
Data breaches can come from almost any angle. In April 2012, the Boston Globe reported that a local hospital had notified 6,831 patients that their billing information could have been compromised after paper records were found blowing through a field several miles away from the hospital.
Data breaches take myriad forms. According to the Privacy Right Clearinghouse (www.privacyrights.org), the biggest single cause by number of records breached (56%) is hacking or malware attacks.
Clearly in such cases the risk of identity fraud is far higher than when data is simply mislaid: it is already by definition “in the wrong hands.”
The second largest cause of breaches is from the loss or theft of personal devices, such as laptops, PDAs, smartphones or memory sticks, accounting for 30% of breached records.
The third biggest cause of breaches, representing 6% of the records held on the PRC database, is insiders – individuals with legitimate access who intentionally breach personal information. Although 6% may not seem a large slice of the pie, the vast size of the PRC database means that it still accounts for nearly 340 million records.
The biggest risk
But for many organizations, the biggest risk does not come from hackers. It does not come from the breach itself at all. It comes from the organization mishandling its response to the breach – and thereby forfeiting the confidence and trust of customers and other stakeholders. What is really at stake in a data breach – particularly a large scale data breach – is reputation.
How we help
Our service is designed to meet three critical needs:
“I read about it in the press before I heard about it from you,” is not something you ever want to hear.
Balancing the need for speed is a need for thoroughness in investigating the causes of the breach and in determining an appropriate course of action. A number of organizations have rushed to notify thousands of customers of a data breach, only to discover afterwards that no data actually escaped.
A data breach can only be successfully managed through smooth coordination among a number of parties. A little like a relay race, there is a risk of the baton being dropped at each handover.
We can do a stand-alone policy with limits starting at $1,000,000
source: Privacy Rights Clearinghouse, 10/18/2012
|Hacking or malware – Electronic entry by an outside party||56%|
|Portable device – Lost, discarded or stolen laptop, PDA, smartphone, portable memory device, CD, hard drive, data tape, etc||30%|
|Insider – Someone with legitimate access intentionally breaches information – such as an employee or contractor||6%|
|Unintended disclosure – Sensitive information posted publicly on a website, mishandled or sent to the wrong party via email, fax or mail||4%|
|Stationary device – Lost, discarded or stolen stationary electronic device such as a computer or server not designed for mobility||1%|
|Payment card fraud – Fraud involving debit and credit cards that is not accomplished via hacking. For example, skimming devices||1%|
|Physical loss – Lost, discarded or stolen non-electronic records, such as paper documents||1%|
|Unknown or other||1%|