Breach Response: Lessons LearnedExperian's Michael Bruemmer on 2013 Breach Response Trends
The number of reported breaches is up considerably this year, but so is the overall quality of organizations' breach preparedness, says Michael Bruemmer of Experian Data Breach Resolution.
This is just one of the changes Bruemmer detects in how breached entities respond to these incidents. Another hot trend: The heightened role of cyber-insurance.
"In 2012, 10-15 percent of the incidents we serviced with clients had a cyber-insurance policy," Bruemmer says. "This year I think it will be closer to 30 percent. And then another third have already said ... they'll be buying a cyber-insurance policy in the next 12 months."
In an interview about 2013 breach response trends, Bruemmer discusses:
- What's changed/what hasn't for breached entities:
- The emerging role of cyber insurance;
- Necessary elements of breach response planning.
Bruemmer is Vice President, ExperianÂ® Data Breach Resolution at Experian Consumer Services, the leading provider of online consumer credit reports, credit scores, credit monitoring, other credit-related information, and protection products. With more than 25 years in the industry, Bruemmer brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery, including notification, call center and identity protection services.
2013 Breaches by the Numbers
TOM FIELD: We've entered the final quarter of 2013. I know that you've done a number of investigations this year. What would you say are your observations on both the number and the types of breaches that Experian has seen so far in 2013?
MICHAEL BRUEMMER: We've serviced about 1,700 breaches last year in 2012, and currently, year-to-date with the run rate we're on, we'll service about 35 percent more incidents in total. The volume has picked up significantly. One thing that I can say that's still consistent about the top sectors is healthcare is still about 47 percent of all the incidents, followed by retail and then telecom. What we're seeing of note are many more international events. In many cases, these are U.S. national corporations that have expats or customers overseas.
FIELD: There are a couple of questions I want to ask you. First, from your perspective, what has changed about the types of breaches that organizations have encountered and what they're doing about them?
BRUEMMER: Three things come to mind. First, I think there's better preparedness. This year, I think there will be a lot more than 35 percent that don't have a data breach plan, as reported last year by Ponemon. We will have to wait and see, but that's number one. Number two, cyber-insurance is truly emerging and it's an emerging part of the data breach business. In 2012, 10-15 percent of the incidents we serviced with clients had a cyber-insurance policy. This year, I think it will be closer to 30. Another third have already said, according to another Ponemon study, that they'll be buying a cyber-insurance policy in the next 12 months. Finally, I think law enforcement and AGs are adopting a new philosophy, the "How can we help" versus "Do as I say and I'll fine you."
FIELD: For the most part, that all falls under the category of good news. The flip side of the question I want to ask you now is: We talked about what has changed. What hasn't changed about how organizations are responding to breaches?
BRUEMMER: I guess you could say this is kind of a bad side. The cost of data breach has gone up. In fact, the latest numbers are $9.5 million per incident over 24 months, with most of that, or 65 percent, in lost revenue or lost business. The second thing is three quarters, or 80 percent, of all breaches still have a root cause in employee negligence. Finally, under what I talked about with the initial question in the top sector, healthcare is still number one and I think it will continue to stay that way with a lot of developments, particularly the most recent healthcare information exchanges under Obamacare.
Breach Response: Influencing Factors
FIELD: We've covered a lot here in terms of the types of breaches, the industries that are suffering them, the role of cyber-insurance and the role of employees. If you look at all of these changes and what hasn't changed, what factors do you see most influencing change in terms of how organizations respond to breaches?
BRUEMMER: They fall under four big categories. The first one is, as we're all participants in this industry, there's a lot more evangelism for preparedness, and there's awareness that comes along with that, not only from the clients that we service but also from the media like yourself. Second I would say is new laws, like California 1798 and the updated final Omnibus Rule under HIPAA and HITECH, have created much more awareness and better preparation. In terms of data being out there, there's just a heck of a lot more data to protect and a lot more data to lose. I saw an article in Science Daily the other week and it said 90 percent of all the data in the world has been generated in the last two years. If you stop and think about that, that's amazing. Finally, the last thing relative to employee negligence is unfortunately people are still doing stupid stuff, and that's going to continue.
Top Breach Prevention, Response Advice
FIELD: Based on what you've seen and the investigations you've been involved in, what's the top-of-mind breach prevention and response advice that you offer to organizations now?
BRUEMMER: Given my previous answers, it's pretty easy to come to my top three. The first one is job-specific security and awareness training. Make sure employees really understand the significance of the data they're protecting. Make sure they have access to key data, particularly PII or PHI, only on a need-to-know basis and they understand the implications of that access.
Second, [have] a rehearsed data breach incident response plan. I put heavy emphasis on rehearsed because it's not good enough just to have the plan; it's got to be practiced, whether it's a tabletop exercise or a full-blown event that the company practices with all the departments that are a part of that incident response team on-call.
Finally, I'm a big advocate of cyber-insurance policies. As I mentioned, we have about a third of the incidents today that will have cyber-insurance. Another third of the people responded to a recent survey that we did with Ponemon on cyber-insurance and said that they're going to buy a policy. But even the fact that if you don't choose to have a cyber-insurance policy but go through the exercise of trying to qualify for it, 70 percent of those respondents said they felt better prepared just by having top-of-mind awareness, answering the questions for the underwriters on the policy, let alone actually invoking it. Those would be my top three.