Top six data breach trends for 2014

Jan. 10, 2014
Experian Data Breach Resolution’s Michael Bruemmer discusses what’s in store for the year ahead

The massive data breach recently suffered by Target is a prime example of the consequences organizations face when confidential information is either lost or stolen. Not only did it impact sales during the crucial holiday shopping period, but it also shook the confidence of many of the retailer’s loyal customers. The retail giant could also take a substantial financial hit. According to USA Today, multiple class-action lawsuits have already been filed against Target as a result of the breach and attorney generals in at least four states have asked the company for more information about the incident.

Of course, the theft of debit and credit card information from Target was just one of numerous data breaches that occurred last year. When it comes to 2014, however, the outlook for the impact and scope of data breaches appears to be mixed, according to a whitepaper published last month by Experian Data Breach Resolution. “In terms of this study, we felt we were in a good position to go ahead and provide some commentary on 2014 because we had another record year for number of incidents that we actually serviced,” said Michael Bruemmer, the company’s vice president.  

Here are six data breach trends that Bruemmer and his team at Experian expect to see in 2014:

1. Data breach costs to decline.   

Bruemmer said he believes that the costs of data breaches will continue to go down this year due to what he calls the three “I’s”: Increased awareness, increased preparedness and the influence of market demand.

“Recently we saw a study that was done by Dell SecureWorks where they found that in 2012, the cost of a full identity went down from about $40 to about $28,” he explained. “On the black market, people that are able to buy and sell identities just aren’t getting as much money as they were a year ago.”

2. Will the combination of the cloud and big data result in more international data breaches?

Because of the expansiveness of big data around the world and more international operations by U.S. companies, Bruemmer believes that the industry will see an increase in international incidents.

“At the same time, you’re also going to have the new regulations that the EU is working on… and there are two features that we’re watching very closely,” he said. “What’s going to be the time for notification and is it going to be as short as five days as is what is being proposed to the data protection authority and to affected parties, and then also the impact if you get fined for not meeting those guidelines. The talk that it may be a fine of up to two to five percent of worldwide revenue for an international company, which is very significant, will get people’s attention.”

3. Potential floodgates open to healthcare breaches.

Given the amount of media coverage about the lack of safeguards surrounding the new online healthcare exchange that was created late last year as a result of the implementation of the Affordable Care Act, Bruemmer believes that this is an area that people should pay close attention to in 2014. One of the problems, according to Bruemmer, is the sheer number of people that will be putting their personal information into the website.

“There have been reports that the data is not as secure as what people had hoped and these are reports even from the Center for Medicare and Medicaid Services,” he added.

Bruemmer said that between 45 and 50 percent of all incidents they service at Experian occur within the healthcare sector.

“The best advice that we give everybody is to have an incident response plan in place because it’s really not a question of if you’re going to have a data breach, but when will it occur,” he said. “Where we’ve seen clients have an incident response plan in place or as required by HIPAA and HITECH… we’ve seen organizations are much better prepared to react to that incident and respond accordingly.”

4. Surge in adoption of cyber insurance.

Last year, Experian conducted a study in conjunction with the Ponemon Institute, which found that a third of the more than 635 companies surveyed already had a cyber insurance policy in place, while another third indicated that they would get one within the next 12 months. Obtaining cyber insurance also helps organizations become better prepared for dealing with the threats they face from cyberspace.

“In that same Ponemon survey, 70 percent of the respondents said that they felt like they were better prepared just by applying for cyber insurance because you’re actually going through a pretty good sized cyber security checklist,” said Bruemmer. “I think that companies that do that take their cyber security much more seriously and are better prepared even if they don’t follow through immediately with contracting with the carrier to get a policy.”

5. Breach fatigue

While people are concerned about data breaches, Bruemmer said that because one in about every four consumers received a breach notification letter in the last year, they’re not taking them as seriously.

“They concerned about being spammed. What do I need to do? The letters are unclear and they just cast them aside instead of doing something with them,” he said. “We think that the number of people having letters sent to them, which was one in four last year, will probably go to somewhere between one in three and one in four.”

6. Going beyond the regulatory checkbox.

Because state and federal officials, such as attorney generals, are much more “amenable” to working with organizations before a breach occurs, Bruemmer believes that this spirit of cooperation between government officials and businesses will continue in 2014.

“Companies, hopefully because of the predictions we’re making, will take note and take, not only cyber security incidents, but data breach preparedness more seriously because they need to be on the watch. I use the analogy of every building has to have a fire evacuation plan, but that plan isn’t any good until you’ve practiced the fire drill and ensure everyone can get out in the allotted time and I think that applies to a data breach incident response plan,” Bruemmer concluded.