BakerHostetler’s Data Security Incident Response Analysis for 2018

BakerHostetler has published its 5th yearly Data Security Incident Response Report, which features an evaluation of the 750+ data breaches that it helped handle in 2018.

BakerHostetler shows there happens to be a collision of data security, privacy, and compliance. Companies were compelled to adjust the way they take action in cases of security breaches.

U.S. companies needed to comply with federal and state data breaches and notifications regulations as well as the global privacy laws, including the EU’s General Data Protection Regulation (GDPR). The response to breaches has become a complex process because of the differences in personal information and breach response definitions and reporting requirements for GDPR, HIPAA all across 50 states. Non-compliance with any of the regulations can result to financial penalties. It is hence very important to be ready for breaches and respond appropriately when a breach is identified.

Because of the above-mentioined scenario, many companies have created committees with the help of stakeholders with the required expertise for managing data breaches.

Causes of Data Breaches


According to BakerHostetler’s report for 2018, the most common cause of data breaches is still phishing, which accounted for 37% of the incidents the law firm managed in 2018. Phishing attacks most commonly seek Office 365 credentials, which accounted for 34% of phishing attacks in 2018.

Other causes of data breaches include: Network intrusions (30%), accidental disclosures (12%); lost/stolen devices and records (10%) and system misconfiguration (4%).

In 30% of successful phishing attacks, the attackers exploited network to get accessible information. 12% of intrusions led to ransomware deployment, and 8% led to a fraudulent wire transfer. In 1% of incidents, a successful phishing attack deployed malware besides ransomware.

Of all successful attacks, 55% happened because of employee mistake, 27% were because of a third-party non-vendor, 11% were caused by a vendor, 5% were because of a malicious insider, 3% were because of a third-party non-vendor, and 2% were because of an unrelated third party.

Breach Response, Investigation and Recovery


In 2018, 74% of breaches were identified internally while 26% were discovered by a third-party.

On average, it took 66 days to detect a breach throughout all industry sectors, 8 days to respond, 28 days to complete a forensic investigation and 56 days to issue notifications.

in the healthcare industry, it took an average of 36 days to discover daya breaches, 10 days to respond, 32 days to finish a forensic investigation, and 49 days to send notification letters. Healthcare data breaches typically sends an average of 5,751 notification letters.

The investigations conduced by OCR and state Attorneys General increased in 2018. State Attorneys General investigated 34% of breaches and OCR also investigated another 34%. There were 4 lawsuits filed of the 397 breach notifications issued.

The use of forensic firms to investigate a breach also increased, from 41% in 2017 to 65% of breaches in 2018. The average expense for engaging a forensic investigation was $63,001. The average cost was $120,732 for network intrusion cases.

On average, the ransom payment made was $28,920 with a maximum of $250,000. 91% of the cases where ransom payment was made, the attacker gave valid decryption keys.

70% of breaches required the company to offer credit monitoring services mostly because of Social Security numbers exposure.
BakerHostetler additionally remarks that after a data breach, access right requests often increase. Hence, companies should have established and scalable access right request processes to cope with the increase in work after a security breach.

Interactive Data Breach Notification Map

Healthcare organizations must comply with the HIPAA Breach Notification Rule that requires the issuance of breach notification letters to affected persons within 60 days of the identifying a breach.

States that have their own breach notification laws, in some cases, demand notification letters to be issued more quickly. BakerHostetler has put together an interactive data breach notification map to assist companies in knowing the breach notification requirements per state.

With this interactive data breach notification map, healthcare organizations can learn the breach reporting requirements per state. This tool is available here.