Other common causes of security breaches included insiders stealing company data and phishing attacks.
The survey of 1,000 in-house lawyers for organizations in 30 countries found that most respondents anticipate that their role in cybersecurity, which was traditionally the domain of IT departments, will increase in the coming year.
However, only 10 percent of lawyers surveyed said they have a budget for addressing cybersecurity. Although half of respondents said their organizations carry cybersecurity insurance, only 19 percent of those who experienced a breach said their insurance policy fully covered their losses.
According to the report, health care is the industry most at risk for a cyber attack, followed by insurance and manufacturing/retail. Nicole Hong “Employee Error Leading Cause of Data Breaches, New Survey Says,” blogs.wsj.com (Dec. 9, 2015).
Attorneys are becoming more involved in data security, as this survey shows, because cybersecurity is a legal and liability issue as much as an IT issue.
When personal information is compromised as a result of poor cybersecurity, customers, employees, or other victims can file a class action lawsuit against the organization for jeopardizing their confidential information. As more class actions occur, so will legal involvement.
Data breach lawsuits can be extremely costly. One of the most notable recent cybersecurity failures was the 2013 Target breach of up to 110 million customers’ credit and debit card information. In 2015 Target settled a resulting class action lawsuit for $10 million. In addition, Target agreed to reimburse thousands of financial institutions as much as $67 million for costs incurred from the breach.
In 2013, health insurance company, AvMed Inc., agreed to pay $3 million to settle a class action lawsuit for maintaining inadequate data security because of the 2009 theft of laptop computers containing the personal information of 1.2 million customers.
Although attacks by international hackers garner more attention, this report shows that employee negligence actually poses the greatest risk to an organization’s cybersecurity.
In order to protect data security, employees should receive training in the following:
1. Mobile device security, including never leaving mobile devices unattended in public and physically locking them in the office when not in use;
2. Malware prevention, including regularly scanning computers for malware;
3. Identity theft, including not sharing personal information on email or insecure websites;
4. Phishing, including never clicking on links in an email;
5. Passwords, including how to create strong passwords by using pass phrases; and
6. Wi-Fi security, including never using an insecure public network to send confidential information.