Brian Pennington

A blog about Cyber Security & Compliance



Aftermath of a Data Breach

Ponemon Institute, sponsored by Experian®, has released the findings of their Aftermath of a Data Breach study.

The study was conducted to learn what organizations did to recover from the financial and reputational damage of a data breach involving customer and consumer records.

Consumer and customer information collected by organizations is at great risk due to employee negligence, insider maliciousness, system glitches or attacks by cyber criminals. Since 2005, according to the Privacy Rights Clearinghouse (PRC), 543 million records containing sensitive information have been breached. PRC says this number is conservative because they track only those breaches that are reported in the media and many states do not require companies to report data breaches to a central clearinghouse.

In 2011, what is considered the biggest consumer data breach ever occurred. As reported by PRC, as many as 250 million consumers received notices telling them that their email addresses and names were exposed. Another significant data breach took place at the end of the year and involved the theft of credit card information.

The organizations represented in this study have had at least one data breach involving customer and consumer records in the past 24 months.

A summary of the study is below: 

All of the organizations in the study had at least one data breach involving consumer information and 85% report that more than one breach involving customer/consumer data occurred in the past 24 months.

In the aftermath of a data breach, IT respondents believe the following:

  • They are more confident than senior leadership about the ability to keep customer data secure from future breaches.
  • By far, negligent employees, temporary employees or contractors make organizations vulnerable to future breaches. Accordingly, conducting training and awareness programs and enforcing security policies should be a priority for organizations.
  • Privacy and data protection became a greater priority for senior leadership following the breach. As a result, IT security budgets for most organizations in this study increased.
  • They are concerned that customer data stolen from their organizations will be used to commit identity fraud.
  • The top three actions believed to reduce the negative consequences of the data breach are hiring legal counsel, assessing the harm to victims and employing forensic experts.
  • Lessons learned from the data breach are to limit the amount of personal data collected, limit sharing with third parties and limit the amount of personal data stored.

In Ponemon’s previous study, Reputation Impact of a Data Breach, the findings reveal that it can take a year to restore an organization’s reputation with an average loss of $332 million in the value of its brand.

For purposes of this study, they asked respondents to focus on the one data breach they believe had the most significant financial and reputational impact on their organizations. The study is organized according to the following three topics:

  • Circumstances of the data breach
  • Response to the data breach
  • Impact of the breach on privacy and data protection practices

In most cases, sensitive data lost or stolen was not encrypted

  • 60% of respondents say the customer data that was lost or stolen was not encrypted
  • 24% said the data was encrypted
  • 16% are unsure

Organizations report that their most sensitive data was lost or stolen

Respondents to the study were asked to focus on the one data breach that had the most severe consequences for their organizations.

What type of data did your organization lose? %
Name 85
Address 69
Email   address 70
Telephone   number 58
Age 43
Gender 35
Employer 20
Educational background 18
Credit card or bank payment information  45
Credit or payment history 41
Password/PIN 48
Social Security number (SSN) 33
Driver’s license number 29
Other (please   specify) 9
Don’t know 11

Insiders and third parties are most often the cause of the data breach

What was   the main cause of the data breach?  %
Negligent insider 34
Malicious insider 16
Outsourcing data to a third party 19
Systems glitch 11
Cyber attack 7
Data lost in physical delivery 5
Failure to shred confidential documents 6
Other 2

Data breaches reduce an organization’s productivity

50% of respondents say the most negative consequence of the breach was the loss of productivity. In the aftermath of a data breach, key employees may be diverted from their usual responsibilities to help the organization respond to and resolve the data breach.

This is followed by

  • 41% a loss of customer loyalty
  • 34% legal action

Data breach response strategies need improvement

  • 50% believe the organization made the best possible effort following the data breach
  • 30% say that it was successful in preventing any negative consequences from the data breach
  • 27% believe their data breach notification efforts increased customer and consumer trust in their organization
  • 63% believe their senior leadership views privacy and data protection as a greater priority than before the breach

Prompt notification and assessment of harm to victims are the steps most often taken in response to a data breach

The study reveals that the top three data breach response activities

  1. prompt notification to regulators as required by law
  2. prompt notification to victims by letter
  3. careful assessment of the harm to victims

New steps are taken to reduce negative consequences

Prompt notification to victims is no longer considered most helpful in reducing the negative consequences of the data breach.

The respondents indicated that the most helpful steps are:

  • retaining outside legal counsel
  • carefully assessing the harm to victims
  • hiring forensic experts

Credit monitoring and identity protection services are not often offered to victims

Despite the fact that many organizations lose the loyalty of their customers following a data breach services that might maintain or even strengthen the customer’s relationship with organization are not offered as frequently on a voluntary basis.

  • 30% say they offer credit monitoring services
  • 19% say they offer identity protection services such as credit monitoring and other identity theft protection measures, including fraud resolution, scans and alerts.

If services are offered, they are provided for one year or less

Company’s data will be used to commit other types of identity fraud

While many of the respondents are confident about protecting their customers’ personal information, 64% say they are concerned that now that the data may be in the hands of criminals it will be used to commit other types of identity fraud.

Impact of a breach on privacy & data protection practices in the aftermath of a breach, senior leadership believes the organization is more vulnerable to a breach

  • 49% of respondents say senior leadership believes the organization is more vulnerable to future data breaches
  • 27% of the IT respondents say the organization is more vulnerable, indicating their confidence in preventing future breaches
  • 28% believe their customers’ personal information is at greater risk since the data breach occurred

Lessons learned may improve privacy and data protection practices

Responding to the breach improved organizations’ understanding about how to investigate a future breach.

  • 66% say that the experience of investigating the causes of the breach will help them in determining the root causes of future breaches
  • 61% believe employees are more aware of the need to protect sensitive and confidential information. Training and awareness is the most often cited activity put in place to prevent future data breaches

Privacy and data protection became more of a priority and IT security resources increased following the data breach

  • 61% of respondents say their organizations increased the security budget
  • 28% hired additional IT security staff
  • 9% say they increased the budget for the compliance staff
  • 4% say they hired additional privacy office staff

Organizations are now minimizing the amount of personal data collected, shared and stored

  • 31% say the data breach had no affect on how the organization uses personal data yet
  • 49% now say they limit the amount of personal data collected
  • 48% now limit the sharing of this data with third parties
  • 42% say the organization limits the amount of personal data stored
  • 27% say the organization now limits the amount of personal information used for marketing purposes

Ponemon’s Conclusion

We conducted this study to better understand how a data breach affects organizations over the long term. It is interesting to note that it took a serious data breach that had both financial and reputational consequences to make privacy and data protection a greater priority and allocate additional resources to the IT security function. While many respondents were unable to determine the root cause of the data breach, there is a consensus among respondents that insider negligence is making their organizations vulnerable to a data breach. As a result, organizations are investing in training and awareness and technologies that minimize the human factor risk.

The findings also show the concern organizations have about losing the loyalty of their customers. Of the IT practitioners surveyed, few felt that prompt notification to victims is helpful in reducing the negative consequences of the data breach. This suggests that compliance with data breach notifications laws is not sufficient if an organization is concerned about customer loyalty and reputation.

For a full copy of the Ponemon / Experian study click here (registration is required).


Data Protection & Breach Readiness Guide

The Online Trust Alliance (OTA) has release it’s 2012 Data Protection & Breach Readiness Guide, a comprehensive guide outlining key questions and recommendations to help businesses in breach prevention and incident management.

This post is a summary of their results and guidance.

Craig Spiezle, Executive Director and President of the Online Trust Alliance said

Last year, more than 125 million people were affected by data loss incidents. Combined with the increased awareness of these high visibility incidents and aggressive data collection and sharing practices, consumers’ trust and online confidence is under attack. By following the recommendations in this guide we have an opportunity to enhance online trust and promote the vitality of the internet”

Rob McKenna, Washington State Attorney General and 2011-12 President of the National Association of Attorneys General said

“Today’s consumer is often aware of when their personal data is collected and wants to ensure that businesses protect it. The Online Trust Alliance’s resources are a valuable tool for businesses committed to ensuring customers’ privacy and security”

John Roberson, Executive Director, Small Business Development Resource Center, Chicagoland Chamber of Commerce said

“Businesses need to look holistically at data privacy and ask, ‘What is the compelling business reason to keep customer data?’ When you have a data incident, the more data you have stored – and compromised – the more damaging it can be for both the individual and the company. The OTA guide gives key insights into questions that companies need to ask themselves to protect their customers and delivers information for any business developing, implementing, or updating their privacy policies and notices”

“The Internet has become the land of opportunity for scams and, unfortunately, we see thousands of them every year,” notes Genie Barton, Vice President of the Council of Better Business Bureaus and director of its Online Behavioral Advertising Program. “Consumers need assurances that they can trust the companies they do business with to secure their data, and the OTA Data Protection & Breach Readiness Guide is a great tool to help businesses protect themselves and their customers. BBB is happy to recommend it to businesses large and small, and we are delighted to help build a safer Internet for all by supporting excellent initiatives such as this guide.”

The 2012 Guide recommends that businesses need to accept three fundamental truths about data:

  1. The data they collect includes some form of Personally Identifiable Information (PII) or “covered information”
  2. If a business collects data it will experience a data loss incident at some point
  3. Data stewardship is everyone’s responsibility

2011 incidents, the highlighted statistics:

  • 558 breaches
  • 126 million records
  • 76% server exploits
  • 92% avoidable
  • $318 cost per record – an increase of over $100 per user record from 2009
  • $7.2 million average cost of each breach
  • $6.5 billion impact to U.S. businesses

The 558 incidents were recorded by the Privacy Rights Clearinghouse (PRC) and the Open Security Foundation reported and were broken into specific sectors, details below:

  • Education (schools and colleges) 13%
  • Government agencies 15%
  • Health care providers 29%
  • Business 43%

Compared to 2010, the sectors with the highest percentage change were:

  • Healthcare with an 11% increase
  • Business incidents decreased by 13%

In Verizon’s 2011 Data Breach Notification report, 50% of all data breaches were through hacking (up 10% over 2010) and 49% incorporated malware (up 11% over 2010). Most alarming is that 96% were avoidable through simple steps and internal controls.

The implications of a breach to the organization can be grave, for example:

  • An employee of Massachusetts General Hospital left 192 patient records on a subway, the hospital was fined $1M by the US Health and Human Services
  • The Massachusetts eHealth Collaborative, a 35-person non-profit, experienced a single laptop theft that cost them over $300,000 in legal, private investigation, credit monitoring and media consultancy fees. Employees also spent over 600 hours dealing with the damage that the breach caused to their brand and reputation.

The report offers the following guidance:

Data Incident Plan Framework

An effective Data Incident Plan (DIP) includes a playbook that describes the fundamentals of a plan that can be deployed on a moment’s notice. Organizations need to be able to quickly determine the nature and scope of the incident, take immediate steps to contain it, ensure that forensics evidence is not accidentally ruined and immediately initiate steps to notify regulators, law enforcement officials and the impacted users of the loss.

Risk Assessment/Prevention

To help maximize business continuity, organizations are encouraged to self-audit their level of preparedness by surveying key management leaders the following questions:

  1. Do you know what sensitive information is maintained by your company, where it is stored and how it is kept secure?
  2. Do you have an accounting of all stored data including backups and archived data?
  3. Do you have a map of data workflows both within your organization and your vendors’ organizations to identify points of vulnerability?
  4. Do you have a 24/7 incident response team in place?
  5. Is management aware of the regulatory requirements related specifically to your business?
  6. Have you conducted an audit of your data flows across your company and vendors, including a privacy and security review of all data collection and management activities?
  7.  Are you prepared to communicate to customers, partners and stockholders during an incident?
  8. Do you have access credentials in the event key staff is not available?
  9. Do you have a employee contact list to contact in the event of a breach, and is updated with contact information on a quarterly basis?
  10. Are employees trained and prepared to notify management in the case of accidental data loss or a malicious attack? Are employees reluctant to report such incidents for fear of disciplinary action or termination?
  11. Have you coordinated with all necessary departments with respect to breach readiness? (For example information technology, corporate security, marketing, governance, fraud prevention, privacy compliance, HR and regulatory teams).
  12. Do you have a privacy review and audit system in place for all data collection activities including that of third-party/cloud service providers? Have you taken necessary or reasonable steps to protect users’ confidential data?
  13. Do you review the plan on a regular basis to reflect key changes? Do key staff members

The report identifies 19 steps that are required by an organisation if they are to be effectively prepared to handle a data breach:

  1. Data Classification
  2. Audit & Validate Data Access
  3. Forensics, Intrusion Analysis & Auditing
  4. Data Loss Prevention Technologies
  5. Data Minimization
  6. Data Destruction Policies
  7. Inventory System Access & Credentials
  8. Creating an Incident Response Team
  9. Establish Vendor and Law Enforcement Relationships
  10. Create a Project Plan
  11. Determine Notification Requirements
  12. Communicate & Draft Appropriate Responses
  13. Providing Assistance & Possible Remedies
  14. Employee Awareness & Readiness Training
  15. Analyse the Legal Implications
  16. Funding & Budgeting
  17. Critique & Post Mortem Analysis
  18. Implement Steps to Help Curb Misuse of Your Brand, Domain & Email
  19. International Considerations

The complete OTA  guide is available here.


Create a free website or blog at

Up ↑

%d bloggers like this: