On July 15, 2014, the New York Attorney General issued a report examining the growing number and costs of data breaches in the state of New York. The report titled, “Information Exposed: Historical Examination of Data Security in New York State,” analyzes eight years’ worth of security breach data collected by the Attorney General and the impact of those breaches upon New Yorkers. The report finds that the number of security breaches reported to New York has more than tripled between 2006 and 2013. Additionally, half of the largest breaches have occurred since 2011, with 2013 having the largest number of New Yorkers affected by data breaches.
The leading causes of the data security breaches were also reported by the Attorney General. The report found that approximately 40 percent of all breaches between 2006 and 2013 were the result of hacking intrusions (third parties gaining unauthorized access to data stored on computers). Nearly percent of all breaches were the result of lost or stolen equipment or documentation. And insider wrongdoing, increasing in frequency each year, accounted for approximately 10 percent of all breaches.
The Attorney General also reviewed the number of data security breaches reported by industry. Retailers were most likely to report three or more breaches between 2006 and 2013. The report links retailers’ susceptibility to attack – particularly restaurant retailers – to retailers’ payment systems which have become a favorite target of hackers. In addition, health care providers were shown to have not only a high incidence of three or more attacks, but also experienced the largest number of personal records exposed between 2006 and 2013.
The data breaches experienced in New York had significant financial consequences, particularly to the organizations involved. The report estimates that in 2013 alone, breaches cost organizations doing business in New York over $1.37 billion. These costs include not only costs to investigate the incident, notify affected individuals and expenses related to litigation, but also include indirect economic consequences related to consumer and investor confidence.
In order to better protect themselves from data security breaches, the report recommends that organizations implement the following five practices:
1. Understand what data your organization has collected, maintained and stored, and review what steps have been taken to ensure security.
2. Minimize the collection of data, store data for the minimum time that is needed and delete any information no longer needed.
3. Create a comprehensive information security plan that includes encryption of data.
4. Implement the information security plan which should include training of employees, communicating with third party vendors and conducting regular audits to ensure compliance.
5. Offer mitigation services to affected individuals.