ARTICLE
19 January 2017

Top Five Data Breach Trend Predictions For 2017

SS
Seyfarth Shaw LLP

Contributor

Seyfarth Shaw LLP logo
With more than 900 lawyers across 18 offices, Seyfarth Shaw LLP provides advisory, litigation, and transactional legal services to clients worldwide. Our high-caliber legal representation and advanced delivery capabilities allow us to take on our clients’ unique challenges and opportunities-no matter the scale or complexity. Whether navigating complex litigation, negotiating transformational deals, or advising on cross-border projects, our attorneys achieve exceptional legal outcomes. Our drive for excellence leads us to seek out better ways to work with our clients and each other. We have been first-to-market on many legal service delivery innovations-and we continue to break new ground with our clients every day. This long history of excellence and innovation has created a culture with a sense of purpose and belonging for all. In turn, our culture drives our commitment to the growth of our clients, the diversity of our people, and the resilience of our workforce.
Explore Firm Details
As we begin the new year, companies are continuing to survey the ever-changing data-breach landscape and assess their own preparedness for the worst. And with data security threats becoming more complex...
United States Privacy
Photo of Natalya Northrip
Authors

As we begin the new year, companies are continuing to survey the ever-changing data-breach landscape and assess their own preparedness for the worst. And with data security threats becoming more complex, sophisticated, and diverse every year, it is no small task. For those of you wondering what data breach trends might look like this year, and what to do to avoid them, Experian Data Breach Resolution, drawing on its experience with over 17,000 data breaches over the last decade, offered the following five predictions in its 2017 Data Breach Industry Forecast:

Aftershock password breaches will expedite the death of the password.

  • What and Why: Companies will face the consequences of previous data breaches, as username and password information breached years prior (and often from an unrelated company) is continued to be sold through darknet markets.
  • The Takeaway: Companies should consider (1) using multi-factor authentication to verify users to help solve the password reuse problem; (2) accounting for aftershock breaches in their data-breach response plans; and (3) educating customers about resetting their passwords and about the broader risk associated with password reuse across websites.

Nation-state cyberattacks will move from espionage to war.

  • What and Why: Cyberattacks by hackers sponsored by foreign nations will likely continue to increase and escalate. Although these attacks are motivated by the desire to gain intelligence, they will lead to collateral damage to consumers and businesses through widespread outages or exposure of personal information.
  • The Takeaway: Businesses should prepare for large-scale attacks, particularly if they are a part of critical infrastructure, by staying vigilant about their security measures and by considering purchasing proper insurance protection.

Healthcare organizations will be the most targeted sector with new, sophisticated attacks emerging.

  • What and Why:
    • Medical identity theft will remain cybercriminals' top target, as medical information is lucrative and easy to exploit.
    • Experian predicts that in the new year mega breaches will move on from focusing on healthcare insurers to distributed hospital networks, which might have more security challenges compared to centralized organizations.
    • Experian also predicts that electronic health records (EHRs) will likely be a primary target for attackers, since EHRs are widely used and are likely to touch a compromised computer.
    • The top breach vector will likely be ransomware because a disruption of healthcare system operations could be catastrophic and most organizations would rather opt to simply pay the ransom than fight the attack. According to the recent Office of Civil Rights (OCR) guidance, depending on the facts, ransomware attacks may be classified as breaches and require notification under the HIPAA Breach Notification Rule, in accordance with 45 CFR 164.404.
  • The Takeaway: Healthcare organizations need to ensure they have proper, up-to-date security measures in place, including data-breach response plans in the event of a ransomware attack and adequate employee training about the importance of security.

Criminals will focus on payment-based attacks despite the EMV shift taking place over a year ago.

  • What and Why: As many retailers are still slowly transitioning to the EMV Chip and PIN technology, payment related breaches will continue to make headlines in 2017. According to an industry study from 2016, only 37 percent of retailers in the United States can process chip cards. Criminals are also going to use new techniques to steal payment card information through use of different types of Point-of-Sale (POS) skimmers.
  • The Takeaway: Companies behind the curve in adopting the new technology should speed up their plans for EMV Chip and PIN adoption, while also paying close attention to potential weak spots, including catching POS skimmers quickly. As a general practice, and as we previously discussed on our blog, retailers should also focus on PCI DSSv3.2 compliance.

International data breaches will cause big headaches for multinational companies.

  • What and Why:
    • Experian reports that acording to a recent study from the Ponemon Institute, 42 percent of companies have not included processes to manage an international data breach in their incident response plans.
    • As we previously discussed on our blog, the General Data Protection Regulation (GDPR), which will become Europe's data privacy law in May 2018, introduces a mandatory 72-hour breach-notification requirement. Under the new rule, all breaches must be reported to the appropriate Data Protection Authority, unless the data was anonymized or encrypted. Furthermore, breaches that are likely to bring harm to an individual, such as identify theft or breach of confidentiality, must also be reported to the affected individuals. Failure to report a breach when required to do so may result in a fine, in addition to a fine for the breach itself. Similar regulations are set to take effect in the future in Canada and Australia.
    • Given the high stakes in an international breach and the lack of preparedness, Experian predicts that at least one U.S. multinational will experience a significant loss in its valuation as a result of an international breach in 2017.
  • The Takeaway: Companies need to begin working toward achieving compliance with the new Regulation to ensure they are fully prepared to handle an international data breach.

Companies are at a big disadvantage when trying to defend against cyberattacks. The number and sophistication of cybercriminals is increasing with each year, and many big and medium businesses, with their multiple points of entry, become hackers' targets, particularly if they possess valuable personal, financial, or medical information. For many organizations, even those with sound security practices, a data breach may be unavoidable and is likely only a matter of time. However, all organizations possessing protected data need to strive to comply with security requirements of their regulators, industry security standards, and customer expectations. Increasing data-breach preparedness, through the development and implementation of a comprehensive cybersecurity program and framework, can go a long way in avoiding, or at least substantially mitigating the impact of a data breach.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Natalya Northrip
Natalya Northrip
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More