According to the Ponemon Institute the average cost of a data breach in the US last year was $188 per record with an average of 23,647 records exposed. The average cost of a data breach is 15% more than it was last year. Reputation and loss of customer loyalty following a data breach also impact a companies bottom line. Have a data security policy is not enough. Organizations must have systems and training in place to ensure data security policies can be met and employees understand how to protect information. Secure document management systems that capture paper documents at the earliest point of entry into an organization can help prevent data breaches. Strong IT security policies backed by user and group access management and encryption technology can further prevent data breaches from occurring. Companies without policies and strong systems in place are at risk.
According the the Privacy Rights Clearinghouse, 148,000,000 records have been compromised in the government sector alone since 2005. Negligent employees, IT and business process failures cause more than 50% of all data breachers. The cost of a data breach can be staggering, impacting both the bottom line and productivity while putting the organization at risk of litigation and civil penalties.
Causes of Data Breaches
Malicious and Criminal Attacks: 42%
Negligent Employees: 30%
IT and business process failures: 29%
Per Capita Cost by Industry of a Data Breach
With so much at risk, we should expect companies to do a better job of developing security policies and vetting vendors before entrusting them with their data. A shocking number of companies still use unsecured off-site storage for their archival documents. Basements, attics, barns, and other unprotected low cost storage areas leave archival records suspecptible to water and fire damage as well as theft. Organizations storing their documents on shared network drives often fail to take security precautions to prevent unauthorized access, deletion, theft or data loss due to IT equipment failures. Data breaches can occur by accident but can have long term effects. Both electronic and paper records are at risk. Paper records can be left out where unauthorized personnel and customers may have access. Records can be compromised when portable devices without proper encryption technology is stolen. Human error may cause records to be exposed when inadvertently thrown out instead of being shredded. Many companies are turning to the cloud but vendor security is also important.
Cloud-based File Sharing and Vendor Security
Cloud vendor GoGrid suffered a breach when an unauthorized third party possibly viewed its customers’ account information, including payment card data. Online cloud storage provider Dropbox was involved in a class action lawsuit brought by users in July 2011 for failure to secure their private data and immediately notify them about a data breach. Plaintiffs alleged that Dropbox did not encrypt the personal data it stored according to industry best practices, according to reports. Another Dropbox fiasco involved hackers who pulled a list of Dropbox customer email addresses from a Dropbox employee’s Dropbox account. Another study by the Ponemon Institute report entitled “Data Breach: The Cloud Multiplier Effect,” surveyed key IT security practitioners in the US. The main points of the study suggest that
1. Companies are not properly vetting cloud services for security
2. Certain activities such as rapid expansion of operations can boost the cost of a data breach
3. The most expensive data breaches relate to high value intellectual property brought to the companies own cloud
2013-2014 Data Breaches
1. Health and Human Services Agency, Napa, California: September 12, 2014
The Napa Health and Human Services Department, specifically In Home Supportive Services (IHSS) notified patients of a data breach when one of their flash/thumb drives was missing from their offices on Coombs Street. This portable drive contained information specifically related to their Comprehensive Services for Older Adults Division of HHS.
The discovery was made of the missing drive when clean-up was happening to their offices after the recent Napa earthquake. The offices have not been occupied since the earthquake. The information on the drive included names, addresses, phone numbers and information regarding patients status in the IHSS program. The agency is reporting that no financial or Social Security information was on the flash/thumb drive
2. Memorial Hermann Hospital, Houston, Texas: August 29, 2014
Memorial Hermann Hospital is notifying patients of a data breach when they discovered a former employee accessed medical records of more than 10,000 patients. Reportedly the former employee had been accessing patient information for over severn years, December 2007 through July 2014, that were outside their normal job description. The information breached included patients’ medical records, health insurance information, Social Security numbers, names, addresses and dates of birth.
3. Multi-State Billing Services, Somersworth, New Hampshire: July 2, 2014
Multi-State Billing Services LLC has let 19 school districts that they service, that a laptop that was stolen from an employee’s locked vehicle contained records on nearly 3,000 students in 19 different school districts in Central and Eastern Massachusetts. The Central districts include Uxbridge, Ashburnham-Westminster Regional, Milford, Northboro, Northboro-Southboro Regional, Southboro and Sutton. The information on the laptop included names, addresses, Medicaid ID numbers and Social Security numbers. Multi-State Billing will reimburse costs related to security freezes for the next three years.
4. College of the Desert, Palm Desert, California: June 9, 2014
The College of the Desert in Palm Dale Calfornia informed individuals of a data breach in their system when a college employee sent an unauthorized attachment in an email to approximately 78 college employees, that contained personal information of employees of the college.
The information contained in the attachment included names, Social Security numbers, dates of birth, zip codes, titles of positions held at the university, employment anniversary date, employee identification numbers, insurance information, active or retired employee status.
5. California Department of Child Support Services, Rancho Cordova, California: May 6, 2014
The California Department of Child Support Services has notified individuals of a data breach that resulted in unauthorized disclosure of personal information. On April 7, 2014 letters from the Solano County Department of Child Support Services were misplaced while in the custody of a contracted courier who was transporting mail to the US Post Office.
6. Denny’s, Phoenix, Arizona: September 30, 2013
Job applications from a Denny’s in Phoenix were found in a dumpster behind the Denny’s. The paperwork dated back to August of 2012. The information included addresses, Social Security numbers, and other information normally found on job applications. The manager said there was a mistake and that similar paperwork is usually shredded.
7. University of Southern Maine, Portland, Maine: October 23, 2013
Someone broke into a University van and stole campus keys. The keys could give them access to nearly 50 Portland and Gorham campus buildings. The University is in the process of replacing locks of the affected buildings. Student, personnel, and other records may be accessible. Faculty, staff, and students were notified of the incident and encouraged to shut electronic devices down when leaving them unattended. They were also advised to not leave sensitive information or belongings in campus buildings without additional locks.
8. Baltimore City, Baltimore, Maryland: July 25, 2013
Thousands of current and former Baltimore City employees are at risk after a box was found with Baltimore City personnel information. Records been discarded in a publicly accessible place for trash. Names, Social Security numbers, dates of birth, drivers’ license information, and other vital and personal employee information was contained in the records. The Department of Public Works obtained the box of information and is attempting to contact people based on lists of class attendants that were among the records.
9. Washington Inventory Service, Merriam, Kansas: August 28, 2013
A box of hundred of employee records was found in a publicly accessible recycling dumpster. The box was later recovered by an employee, but the records were still left behind.
10. Mercedes-Benz of Walnut Creek, Walnut Creek, California: February 25, 2013
A February 7 or 8 office burglary at Mercedes-Benz of Walnut Creek resulted in the exposure of customer information. Locked file cabinets that contained customer deal files were burglarized and customer files were taken from the Service Department. The theft was discovered on the morning of February 8 and immediately reported. Customer names, Social Security numbers, addresses, credit reports, driver’s license information, insurance information, and credit card numbers may have been exposed.
How are you protecting your records?
Contact us to find out more about conducting a secure back file conversion of your paper records. After converting your paper records to electronc records, your records must be securely shredded and disposed of. The docSTAR document management systems is a secure, scalable enterprise level system that helps you comply with regulations and protect your data while increasing your productivity.
Once in docSTAR your electronic records are protected from unauthorized access via group, user and document level security settings you define. Audit features allow you to see every time someone accesses or changes a document. Automated record retention schedules allow you to classify records for automatic destruction or notify you when a record can be disposed of. With docSTAR you will never lose a record again.
Your data can be backed up to our SSAE 16 compliant co-location facilities to help you avoid the risks and hassles associated with building and managing your own data center. 24 x 7 x 365 management and monitoring help ensure uninterrupted access and protection of your mission-critical data. Contact us for backfile conversion costs and docSTAR pricing.