Who is Responsible When a Data Breach Occurs?

The Identity Theft Resource Center revealed 1,244 breaches occurred during 2018. While that was lower than the breaches that occurred in 2017, the number of records exposed in those breaches was over 446.5 million. That’s more than double the exposures from 2017.

The breaches in 2018 hit the business sector the hardest. Marriott International saw the largest exposure with 383 million victims. The other industry that was greatly affected was healthcare. Unity-Point Health found the records of 1.4 million patients were exposed during a data breach. When these breaches happen, who is responsible? The answer to that isn’t as simple as you might imagine.

What Led to the Data Breach?

You first have to look at the type of breach. Looking at 2018’s data breaches, the breaches occurred for one or more of these reasons (from most common to least common):

  • Hacking
  • Unauthorized access
  • Accidental exposure
  • Employee error or negligence (lost computer/files and improper disposal of sensitive equipment or forms)
  • Physical theft
  • Insider theft
  • Data on the move

Take a closer look at each type of hack to get a better understanding of how these data breaches occur. In some cases, such as employee negligence, companies are responsible for the data breaches. But, that’s not always the case if there was unauthorized access or hacking where security measures were in place.

Hacking: Hacking occurs when someone breaches another network or computer system without permission. An example of hacking occurred in 203 when a group of hackers breached Yahoo and stole email address, passwords, names, and birthdays of 1 billion users.

Unauthorized access: Hacking is unauthorized access, but there are other situations where unauthorized access may occur that don’t involve hackers. It ends up being a way to categorize hacks where there has been access to private information that isn’t the result of employee error, theft, negligence or a hack. Grocery store chain Hannaford got hit with unauthorized access when an employee installed a software update that was infected with malware.

Accidental exposure: Accidental exposure and employee error can be linked. In this case, the breach occurs accidentally. A good example is the case where a person looking for information on local VA hospitals was sent a file that accidentally contained patient information. It was an accident, but that person had the names, dates of birth, and partial SSNs for hundreds of patients because of that mistake.

Employee error or negligence: Negligence is a common cause of data breaches. Cox Communications was sued for this in 2018 when it was discovered that the company was not recycling old computers and phone equipment. While they deny a data breach occurred, they did admit they did not take the proper steps in disposing of the old equipment.

Physical theft: Physical theft involves a burglary or armed robbery. In 2018, computers and tablets were stolen from an addiction treatment facility. Information on those devices included names, health insurance account numbers, dates of birth, and SSNs.

Insider theft: Insider theft occurs when an employee steals private information. McClean Hospital in Massachusetts became the targets of insider theft when an employee quit without returning tapes that contained information on more than 1,400 patients. Information stolen in this case includes SSNs, medical files, family histories, and names.

Data on the move: Some breaches take place when data is being sent from one location to another. As an example, HSBC lost a disc of information somewhere as it went from one office to another through the mail. That disc had not been encrypted.

Could It Have Been Prevented?

Many breaches could have been prevented by updating virus, malware, and spyware definitions and running scans consistently. Properly recycling outdated electronics is also important at avoiding data breaches.

Whether a company is responsible or not depends on the breach itself. Equifax is one of the more recent and memorable breaches. This tremendous data breach happened because the financial institution failed to install critical software updates. A U.S. District Court judge refused to accept arguments stating that with so many breaches, it’s impossible to hold a company responsible. He refused to dismiss Equifax’s case. That trial continues in 2019.

Have Companies Been Held Liable?

Not every company is found liable, but it’s risky to chance it. If a company is not taking measures to protect private information, they may be forced to pay millions, just as these companies experienced. Uber was forced to pay $148 million to drivers throughout the U.S. following a data breach. Anthem paid $115 million in settlements. The health insurer also paid $16 million to the federal government.

Many States Are Adopting Bills or Measures to Protect Consumers

Lawmakers in more than two dozen states are working to or have created new security breach legislation to address data and security breaches. New laws passed in Alabama, Arizona, California, Colorado, Connecticut, Hawaii, Iowa, Illinois, Kentucky, Louisiana, Maryland, Massachusetts, Michigan, Missouri, Nebraska, New Hampshire, New Mexico, New York, Ohio, Oregon, South Carolina, South Dakota, Tennessee, Utah, Virginia, Washington, and the District of Columbia.

These changes may be as small as eliminating fees to put a credit freeze in place or remove one. Other laws put policies in place for companies to follow in regards to security and breaches.

If you’re responsible for storing and maintaining private information, you must follow proper data destruction protocol. ERI holds NAID AAA certification for data destruction. Trust in ERI’s electronics and IT Asset Disposition services to prevent data breaches caused by improper disposal. Contact ERI today to learn more.