Data breaches have made big headlines in recent years, from Target to Equifax to Hudson’s Bay Co’s Saks and Lord & Taylor. But the growing trend is actually in all the litigation stemming from data breaches. International law firm Bryan Cave analyzed the increasing trend of legal action following data breaches of all sizes. It found that in 2016 alone, there were 76 class action lawsuits related to data breaches:
- 34% were within the medical industry
- 95% had negligence as the most popular legal theory
- 86% emphasized the breach of sensitive data
Our own research supports these findings. Radware’s 2018 Consumer Sentiments Survey found that 55% of U.S. consumers stated that they valued their personal data over physical assets, i.e. cars, phones, wallets/purses. In addition, Radware’s C-Suite Perspectives report revealed 41% of executives reported that customers have taken legal action following a data breach. Consequences of data breaches have extended past bad press, and include lasting effects on stock prices, customer acquisition costs, churn, and even termination of C-Suite level executives.
Types of sensitive data vary by industry and therefore have respective attack methods. For example, the finance and commerce industry are expected to protect data such as names, contact information, social security numbers, account numbers and other financial information. Likewise, the healthcare industry is at high risk of data breaches, as medical records contain the same personal data in addition to more details that aid in identity fraud – such as doctor and prescription records, medical insurance information, and individual health attributes from height and weight to blood type.
On the surface, data breaches fall under the jurisdiction of CISO, CTOs, etc., but CEOs are now just as likely to be held responsible for these incidents; Target’s then-CEO was forced to resign following its 2013 data breach. Other CEO’s at Sony and Home Depot were no longer in their positions within 6 months of their high profile breaches.
Laws and regulations surrounding data breaches are now moving at a faster pace due to steeper consequences, with the implementation of the European Union’s General Data Protection Regulation (GDPR) and the United States’ growing interest and demand in data privacy and protection. Security at its bare minimum is no longer realistic, and instead a competitive advantage for smart companies. C-level executives who aren’t reviewing security plans are opening themselves and their companies to significant liabilities.
How does GDPR affect me?
The GDPR’s purpose is providing protection over the use of consumers’ personal data. Companies are now held to a higher expectation to protect their customers’ data, further emphasizing the evolving consideration of cybersecurity as a necessity in business. At its strictest, companies found not having done enough can be penalized upwards of €20 million or 4% of the offending organization’s annual worldwide revenue.
Although data breaches alone are months of bad publicity in general, the wrath of consumers often stem from the delayed notification and response from the company. Companies incur this fury when they attempt to keep a data breach hidden only for it to be uncovered, resulting in increased litigation costs. The GDPR now mandates and upholds companies to the high standard of notifying data breach-affected consumers within 72 hours.
Targeted for a Data Breach
In 2013, one of the most notable, mainstream headlines focused on the data breach of Minnesota-based, retail giant Target Corporation. During the holiday shopping season, Target revealed their mass data breach of personal information, of which 40 million customers had personal financial data stolen and 70 million had general personal data (such as email and addresses) revealed. Attackers were able to exploit the company’s customer database through a third-party vendor’s stolen credentials, utilizing malware as the weapon of choice; the same malware was later utilized to attack other retailers such as Home Depot. Hackers after the finance and retail industry still utilize malware like Target’s 2013 data breach to create pathways from minimally-protected 3rd parties into more complex systems.
At the end of the investigation, Target had to pay a fine of $18.5 million across the U.S. in addition to its cumulative legal fees of a staggering $202 million for the data breach. What goes unmentioned however, is also the potential cost of lost customers from these breaches, as well as the brand reputation decline. The company must also abide to new Terms of Agreements by various State Attorney Generals that include requiring Target to employ a security leader for the creation and management of a thorough information security program, in addition to other related guidelines.
The Early Bird Avoids the Attack
Target became a lasting example of the need for cybersecurity to be implemented within a company’s architecture and business processes. The topic of protecting customer data has become its own high-profile discussion across various industries, rather than just within the technology industry. Being proactive with not only the security surrounding the company’s products/services, but also the data it collects, will be a competitive differentiator moving forward.
Radware research found that 66% of C-Suite Executives across the world, believed hackers could penetrate their networks, yet little is changed to implement protections as exhibited by the graphic below.
Sensitive data across all industries are valuable, coming at different prices in the dark net market. As data breaches are becoming more commonplace, industries have to take different levels of precaution in order to protect consumers’ personal data. For example, the healthcare industry heavily utilizes encryption to protect data such as medical records and prescription history. However, attackers are also implementing encryption attack tools in order to access this information. It is crucial for the cybersecurity systems of these organizations to be able to distinguish between valid encrypted information versus attack information encrypted with SSL, in order to prevent a breach. A comprehensively designed network infrastructure that consistently manages and monitors SSL and encryption technology through its security systems can ensure protected network and data privacy.
Transitioning cybersecurity from the hallways of IT and embedding it into the very foundation of business operations allows an organization to scale and focus on security innovation, rather than scrambling to mitigate new threats as they evolve or worse, litigating expensive class actions. In addition, this proactive approach further builds customer relationships via improved trust and loyalty. Knowing that cybersecurity is a company’s and CEO’s priority will help the customer feel more at ease with potential partnerships and strengthens the level of trust between.
Read the “2018 C-Suite Perspectives: Trends in the Cyberattack Landscape, Security Threats and Business Impacts” to learn more.
Mike O’Malley brings 20 years of experience in strategy, product and business development, marketing, M&A and executive management to Radware. Currently, Mr. O’Malley is the Vice President of Carrier Strategy and Business Development for Radware. In this role, he is responsible for leading strategic initiatives for wireless, wireline and cloud service providers. Mr. O’Malley has extensive experience developing innovative products and strategies in technology businesses including security, cloud and wireless. Prior to Radware, Mr. O’Malley held various executive management positions leading growing business units at Tellabs, VASCO and Ericsson. Mr. O’Malley holds a Master of Business Administration degree, a Master of Science in electrical engineering, and a Bachelor of Science in electrical engineering from the University of Illinois. He also is a graduate of the Executive Strategy Programs at the University of Chicago.