10 Predictions About the Data Breach Landscape in 2015

by Chris Preimesberger

With the imminent adoption of EMV chip-and-PIN technology in the United States in October 2015, the window is closing for hackers to easily profit from point-of-sale attacks on brick-and-mortar retailers. EMV stands for Europay, MasterCard and Visa, a global standard for the interoperation of IC (integrated circuit-containing) cards. Retailers can expect a continued influx of payment breaches in the near-term before the new system is implemented late next year.

Cloud services have been a productivity boon for consumers and businesses. However, as more information gets stored in the cloud and consumers rely on online services for everything, the cloud becomes a more attractive target for attackers. In 2015, there will be an increase in hackers targeting online credentials, such as consumer passwords and usernames, to gain keys to the castle, with the strategy that compromising one record can often give access to all sorts of other information stored online. Incident response plans will need to include considerations of how to reset user passwords on a massive scale and send email promptly to all those potentially affected.

The expanding number of access points to Protected Health Information (PHI) and other sensitive data via electronic medical records and the growing popularity of wearable technology makes the health care industry particularly vulnerable to cyber-attacks. Case in point: It was reported that the FBI released a private notice to the health care industry earlier this year warning providers that their cyber-security systems are lax compared to other sectors. Health care organizations will need to step up their security posture and data breach preparedness or possibly face sanctions from federal regulators in 2015.

Along with a rise in health care breaches, medical identity theft remains a top concern among consumers as cyber-criminals look to capitalize on the bigger payout for PHI on the black market. Industry reports reveal medical identity theft has now claimed more than 1.8 million U.S. victims, granting hackers the ability to gain medical services, procure drugs and defraud private insurers and government benefit programs. Health care organizations face the challenge of securing a significant amount of sensitive information stored on their networks, which combined with the value of a medical identity string makes them an attractive target for cyber-criminals.

The Internet of things (IoT) is growing rapidly, offering a wide range of benefits for businesses looking to review data and optimize performance. More devices are being created with Wi-Fi capabilities and sensors that create the opportunity for everyday items—such as car keys, alarm systems or wearable devices—to relay information over the Internet and communicate with each other. As more companies adopt interconnected systems and products, cyber-attacks will likely increase via data accessed from third-party vendors. Businesses looking to take advantage of data available from the IoT need to emphasize risk management and security with third-party vendors that provide or have access to the same information.

Where previously IT departments were responsible for explaining security incidents, cyber-attacks have expanded from a tech problem to a corporatewide issue. With this shift, business leaders are being held directly accountable for data breaches. As we saw with some of the mega breaches in 2014, there is significant pressure for management teams to brush up on their knowledge on data breach preparedness or face the threat of being ousted from the company. Looking ahead, senior executives will be expected to have a better understanding of the data breach response plan, comprehension of new technologies and security protocols in the workplace and have a clearly defined chain of response should a breach occur.

Although there is heightened sensitivity for cyber-attacks among business leaders, a majority of companies will miss the mark on the largest data breach threat: employees. Between human error and malicious insiders, time has shown us the majority of data breaches originate inside company walls. In fact, approximately 80 percent of breaches serviced by Experian in 2014 were the result of employee negligence. In 2015, people-based breaches will continue to be the leading cause of compromises but will receive the least attention. Organizations that implement regular security training with employees and a culture of security committed to safeguarding data will be better positioned for success.

A growing number of consumers are becoming more apathetic and are taking less action to personally protect themselves. This sentiment, called “data breach fatigue,” is likely to continue because the rate of reported data breaches is not expected to slow any time soon. To confront data breach fatigue, companies need to avoid treating the notification process as a compliance issue and conduct sincere communication with customers. Notification letters should include an apology and a clear explanation of what happened, why it happened and what consumers can do to protect themselves from fraud. This includes recommending that they check their credit reports and monitor financial or health records to identify any fraudulent activity.

In the absence of federal regulatory action for standardized data breach notification requirements, states may experiment with data breach laws in the coming year, from adjusting timing and content of notification, to defining personal data, and requirements to alert media and regulators. Unfortunately, for companies with customers in multiple states, there is no one-size-fits-all approach to notification that meets each standard. Currently, U.S. businesses face a patchwork of data breach laws across 47 states, along with the District of Columbia and Puerto Rico.

Experian’s Data Breach Resolution group released its first annual industry forecast report last year. While it accurately predicted an increase in health care breaches and a surge in adoption for cyber-insurance (which increased by 150 percent in 2014), they weren’t expecting the cost of a breach to rise. With the average data breach costing organizations $3.5 million, the financial impact of data breaches actually increased this year. Go here for the 2014 predictions.