The Dallas Morning News details a recent data breach in which a number of laptops with patient records were stolen from the back of city ambulances between 2011 and 2014. Do stolen computers count as data breaches?
As it turns out, loss or theft of devices is one of the top causes of data breaches. Some IT professionals spend so much time thinking about digital security that they forget to think about physical security. Data can still be stolen the old-fashioned way.
This news story gives us an opportunity to review the most common sources of data breaches and how their costs and liabilities vary.
Who Is Liable: IT Consultants and Device Theft
In a statement, Dallas City Hall informed the public that at least one application was not properly secure on the stolen laptops, which means that medical data for patients treated in the ambulance could have been exposed.
Why wasn't the software secure? Without knowing the details, it's hard to say, but you can probably assume that the laptops simply weren't encrypted or certain security settings weren't enabled.
In a situation like this, the IT consultant in charge of acquiring hospital software or performing maintenance on the laptops could be liable if the software wasn't secure enough to protect patient data.
What Are the Different Types of Data Breaches?
As we saw above, physical theft of devices is actually a liability for IT consultants – and it's one they often overlook. Though most people use the word "data breach" as a catch-all term, it's important to distinguish the different types:
- Employee errors (e.g., unintentional disclosures, sending an email to the wrong person, misdirecting faxes, and losing paper records).
- Physical lost device.
- Malware or spyware cyber attack.
- Insider attacks (i.e., when an employee or former employee uses their network access to steal data).
Why separate data breaches into these different types? Not all data breaches are equal. If you look at data breach statistics, you'll see that each type of data breach differs according to cost, preventability, and other factors.
How Do Different Types of Data Breach Compare to Each Other?
Insurance Business America reports on a recent study by a Cyber Liability Insurance provider that examined the data for 1,500 data breaches that occurred over the last two years. Here's a summary of the key findings:
- 73 percent of data breaches involving portable devices could have been prevented if devices were encrypted.
- Employee errors were the most common source of data breaches.
- Malware / spyware data breaches were 4.5 times more expensive than those caused by employee errors because of the additional costs for forensic security investigations.
- Malware data breaches increased 20 percent from 2013 to 2014.
- Insider attacks increased 10 percent from 2013 to 2014.
What Do Data Breach Statistics Tell Us About Security?
After looking at the data and examining the liabilities that come with different data breaches, we can see four clear takeaways:
- IT consultants can limit the damage done by lost / stolen devices by encrypting them.
- Malware attacks are significantly more expensive.
- While less common, both malware and insider attacks are increasing at surprising rates, which means you'll need to stay ahead of these attacks.
- Employee errors account for a surprising amount of data breaches, so make sure you properly train clients (and have some redundancy where possible).
While your IT strategies differ, remember that your Professional Liability Insurance (aka Errors and Omissions Insurance) can cover IT consultant liability, regardless of the type of breach.
To learn more about E&O Insurance, see our sample insurance quotes for IT consultants.