Hackers Beat Out Insiders

Here is a surprising stat.  While we’ve often talked about the prevalence of insider threats, and how they are usually the leading cause of data breaches, July was the first month that hacking actually took precedence.  Usually, this is reversed, but in both occurrence and severity, hacking won out this time.  According to the report from Protenus, 17 hacks in July affected over 500,000 patient records, which is around 21 times those affected by insiders.

What led to this different result isn’t clear.  What is, however, is that hackers are always studying and innovating on their illicit tools of the trade, trying to make this survey dominance a recurring theme.

Which is why I like finding superb, yet simple recommendations for bolstering cybersecurity.  Like the ones over at Marketing Dive.  For third party agencies that handle the business critical data of their clients, the risk of becoming an access point to said clients is an extra concern.  Different clients will adhere to different levels of security, as well as have different priorities regarding risk and protection; agencies should thus adopt the standards of their strictest client.  In this way, an agency can increase its readiness to meet head on any security challenges from across their client base.  Another tip is for agencies to do exactly what I do every day: read about cybersecurity in the news.  By examining the details of any particular data security incident, agencies can strategize to mitigate the chances of the same type of breach happening to them.

This should be extra pertinent to them as consumer power for redress gradually grows.  Earlier this month, there was development in the case of Chantal Attias v. CareFirst, a case centered on a breach detected at health insurer CareFirst in 2015, almost a year after it occurred, and which compromised almost 1 million customer records.  The class action soon followed.  Now, the U.S. Court of Appeals for the District of Columbia has reversed the case’s earlier dismissal by a federal district court, which ruled insufficient evidence of harm for the plaintiffs.  Both personally identifiable information (PII) and protected health information (PHI) had been involved in the hack, thus opening the door to identity theft and establishing a plausible risk of harm for the customers.

“Nobody doubts that identity theft, should it befall one of these plaintiffs, would constitute a concrete and particularized injury,” wrote appeals court judge Thomas Griffith.

Progress for consumers on this front is still slow.  A ruling like this (and others), however, should put companies on alert.  According to Ballard Spahr partner Edward McAndrew, “The D.C. Circuit decision and others like it are likely to lead to an increase in the types and numbers of civil cases filed against organizations that suffer data breaches of personal information.”  Avoiding security complacency is crucial.  Having the right tools, policies and procedures in place is essential, whether for detecting, preventing, or responding to incidents.