Device Debacles – Lost, Stolen, and Neglected Data Risks
Karen Taylor for AllClear ID
When we think about threats to private data we often think of the headline-grabbing cyber attacks. We tend to forget the data breaches that result from a more mundane cause — the loss of devices and documents on which the data resides.
Yet, there is a real and present danger of data being breached through lost, stolen, and neglected devices and documents such as servers, computers, and cell phones, according to experts.
In one study, eSecurity Planet found the leading cause of data breaches has been the theft or loss of unencrypted laptops and USB drives. “If there’s a difference between a laptop theft today and 10 years ago, it’s that it’s probably got saleable data on it,” stated ESET senior security researcher Stephen Cobb.
Further, in its 2014 Healthcare Breach Report, data protection company Bitglass found that “68% of breaches since 2010 occurred because devices or files were lost or stolen, while only 23% were due to hacking.”
While not as sensational as external threats, internal data security threats come with the same high costs — regulatory penalties, lawsuits, and PR nightmares.
For example, the Ponemon Institute found that “lost or stolen devices increased breach costs by $18 per record.”
Losing Sight of Lost Data Risks
Every year there are hundreds of cases of missing data due to lost, stolen, and neglected devices and documents in every industry — from banking to healthcare. Here are just a few scenarios.
Lost in Transportation. An employee of a large Canadian bank lost two back-up servers while transporting them from one location to another. The tapes included the private data of 260,000 customers, including Social Security numbers and bank account information.
Blowing in the Wind. In 2014, a man found patients’ medical records scattered down a street blowing out of a trash dumpster. The records contained the patients’ names, addresses, phone numbers, Social Security numbers, and other private information patients shared with a healthcare provider in Kansas City, Missouri.
Missing in Inaction. In February 2012, a healthcare provider lost ten computer disks that were being stored in an empty office. They contained encrypted personal information on over 300,000 patients, including names, diagnosis, Social Security numbers, and more. Emory Healthcare faced HIPAA fines, a HIPAA breach violation, and a class action lawsuit.
Dealing with a Physical Data Breach
The moral of these stories is that your breach preparedness plan should cover the steps you need to take to deal with and recover from a device breach as well as the more sensational cyber breaches. In many instances, enhanced employee security and data disposal training may prevent a data breach from occurring altogether.
Keep in mind that from a customer’s perspective, the loss of their privacy data by any means is often catastrophic. They are not concerned whether it was a high-tech headline-gripping malicious attack or a mistake that sent their private information blowing down the street. They just want to know how the organization is going to help them recover after a data security incident.
As entities entrusted with our customers’ data, we should treat every data breach with equal care, concern, and proactive communication.