We are excited to release our third annual BakerHostetler Data Security Incident Response Report. This report analyzes the more than 450 data security incidents we led clients through in 2016. Companies continued to experience incidents at a record pace, and we expect this will continue through 2017. We have received more calls to our breach hotline in the first three months of 2017 than we did during all of 2015.
Ransomware was the biggest development we saw last year – it was involved in 23% of the network intrusion incidents. Because no one measure can guarantee a successful defense against ransomware, we do not expect this issue to go away.
Our 2016 Report focused on companies being "compromise ready" to detect, respond to and contain incidents faster. That still holds true. In fact, our experience shows that companies should be focused on the basics, such as education and awareness programs, data inventory efforts, risk assessments, and threat information sharing. Most incidents are not the result of a sophisticated, never-before-seen, unpreventable, zero-day attack. Instead, networks are often as fallible as the people who build and maintain them. Both skilled and unskilled attackers are able to access networks, whether the networks have little or "next gen" security.
Notable statistics from the report include:
- Cause of incidents: phishing/hacking/malware (43%), employee actions/mistakes (32%), lost/stolen devices or records (18%), internal theft (3%), other criminal acts (4%).
- No industry is immune: The healthcare industry (35%) was affected more than any other. Rounding out the top three are finance and insurance (16%) and education (14%).
- Number of individuals notified: For incidents in 2016 where notification was made, the average number of individuals notified was 77,230. The drop from 2015 is likely related to the increase in W-2 phishing incidents, which typically involve a population of thousands rather than millions of employees. Nearly 10% of all incidents we worked on involved W-2 phishing emails.
- Self-detected incidents comprised 64% of the incidents that BakerHostetler helped manage in 2016. This number continues to increase, primarily due to more and more companies deploying endpoint monitoring.
- Not all incidents require notification to individuals or the public at large. In 44% of the incidents that BakerHostetler helped manage in 2016, notification or public disclosure was not necessary or appropriate.
- Credit monitoring continues to be offered in response to breaches. Last year, 64% of the companies that notified individuals offered credit monitoring. Although redemption rates continue to be low in very large incidents (typically less than 5%), in W-2 phishing email incidents, the redemption rate can be 40% or even much higher.
- Attorneys general remain active, and inquiries were made in 29% of incidents reported to AGs.
- Litigation results less frequently, with less than 5% of all matters resulting in litigation. This year, we have provided a section in the report that discusses the cases we are working on and the trends in this area.
The full 2017 BakerHostetler Data Security Incident Response Report can be found here. We will host a webinar to provide more in-depth commentary on these findings on May 9 at noon EDT, and will also be posting weekly blog entries every Tuesday and Thursday for the next several weeks that will look at the findings in depth.