The theft of information, also known as a data breach, is a crime that was virtually unknown two decades ago but is flourishing in the 21st century. A data breach is defined as the theft of personal information including names, Social Security Numbers, birth dates, medical information, driver’s license numbers, user names and passwords, and financial account information such as credit or debit card numbers. With an ever-increasing reliance on computers and information technology organizations are increasingly susceptible to this type of fraud. Information thieves are misappropriating data and selling the stolen information on the darknet. The Identity Theft Resource Center (www.idtheftcenter.org) reported that as of December 13, 2016, there were 980 data breaches reported in 2016. This is an increase of over 30% over the year-to-date number of data breaches for 2015.
Over the years, the theft of data has become a profitable crime. This is because in the modern economy, businesses offer goods and services on credit to strangers based on the data in the buyer’s credit history. With telecommunications and internet technology, buyers and sellers do not need to meet in person to consummate their transaction. The internet has made access to information almost instantaneous. Increased access to data on the internet has provided criminals easier access to personal information from both inside and outside the United States. Identity thieves can use the internet to gather an individual’s identifying information without ever coming into personal contact with the victim.
Criminals breach the IT security of companies, not-for-profit organizations and even governmental entities and steal information from their computers. Often human resource departments are targeted because criminals are looking for payroll information which includes names and Social Security Numbers. Retail outlets are also targeted because they store customer information, including credit and debit card numbers on their computers. The cyberthieves targeted the point-of-sale (POS) cash registers in the Home Depot data breach. Data breaches allow criminals to obtain a substantial amount of information with a minimum risk of being caught. Many data breaches are initiated through a phishing attack wherin the criminals email an individual in the target company and include a virus or other form of malware in the email. When the unsuspecting employee opens the infected email the company’s computer systems and data are compromised.
Per the 2016 Cost of Data Breach Study: Global Analysis Benchmark research sponsored by IBM and independently conducted by the Ponemon Institute, LLC. The average cost to the victim of a data breach in 2015 was $4 million. Smaller organizations fared better than larger ones. The average cost of a smaller data breach where less than 10,000 records were compromised was $2.1 million; whereas the average cost of a larger data breach where 50,000 or more records were compromised was $6.7 million. The average cost of a data breach in 2015 was up 29% over the average cost in 2013. On average, it cost the victim approximately $158 per record compromised. The Ponemon Institute LLC also reported that the median time it took to detect a data breach after it occurred was 201 days in 2015. Further, the median time it took to contain the data breach was 70 days after it was discovered. On average, it took approximately 8 months to discover and contain a data breach in 2015.
The theft of data isn’t the only way to compromise an organization’s information. Another common type of data breach is the installation of ransomware on a victim’s computer. Ransomware is a type of malware that infects a computer and encrypts the information on the computer. The criminals then demand the victim pay a ransom to receive a key to decrypt the information on their computers.
Some interesting statistics on data breaches reported by BitSight (https://www.bitsighttech.com/blog/data-breach-statistics) include:
- 37.2% of organization in the United States had a botnet grade of “B” or lower. These organizations have a higher chance of having a data breach of their information security systems conducted by computer hackers.
- 54.8% of organizations have a Sender Policy Framework grade of “C” or lower. These organizations have a higher chance of falling victim to spoofing or phishing attacks.
- Crypto-style ransomware attacks on companies grew by 35% in 2015
It is important for companies to understand their risks of becoming a victim of a data breach. Data breaches can be conducted by external attacks, internal attacks, lost data, and even by foreign governments attacking businesses. Most data breaches are conducted by criminals who are gathering information to sell to other criminals. Good internal controls over information technology are a necessity in today’s business environment.
One of the most well-known data breaches occurred in November & December of 2013 and the victim was Target. It was estimated that 70,000,000 debit and credit card numbers were stolen from Target’s computers. In addition to the debit and credit card numbers the criminals also misappropriated the customer’s PINs, CVV codes, Zip codes and other personal information. The initial estimates of the costs to Target for this data breach were $3.6 billion. The Target data breach is important because of the litigation that followed. The banks that had to replace the 70 million stolen credit cards filed litigation against Target to recover their costs. The Federal District Court ruled in favor of the banks and Target appealed the ruling. The Federal Appellate Court reaffirmed the lower court’s ruling and Target appealed to the Supreme Court. The Supreme Court declined to review the case leaving the Appellate Court’s ruling in place.
There are several legal issues associated with data breaches. In addition to federal laws such as HIPPA, Gramm-Leach-Bliley, the Computer Fraud and Abuse Act, the Computer Security Act, and the Fair and Accurate Credit Transactions Act that require companies to maintain security over specified information. The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.
Accountants and auditors need to be aware of the legal issues associated with data breaches. One of the legal issues is the requirement to notify the individuals whose information has been compromised. All but three states, Alabama, New Mexico, and South Dakota, have passed laws that require companies to notify consumers in the event of a data breach. One of the most comprehensive state laws is the California Security Breach Information Act:
California law requires a business or state agency to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person. (California Civil Code s. 1798.29(a) [agency] and California Civ. Code s. 1798.82(a) [person or business])
Any person or business that is required to issue a security breach notification to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General. (California Civil Code s. 1798.29(e) [agency] and California Civ. Code s. 1798.82(f) [person or business])
The California Attorney General also states “The 20 controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.” There were 178 data breaches reported to the California Attorney General’s Office in 2015 and those data breaches affected 24 million residents of the State of California. The California Data Breach Law requires the companies whose systems were breached to provide identity theft services to the individuals whose information was stolen from their systems. (https://oag.ca.gov/sites/all/files/agweb/pdfs/dbr/2016-data-breach-report.pdf?)
It should be noted that not all data breaches are aimed at large organizations. Small businesses are also targets including tax providers, attorneys, medical offices, and insurance agents because these professionals often have the personal information of their clients stored on their computers. Also, the courts have determined that companies have strict liability for lost information. In other words, the victims do not need to prove the stolen information was used in an identity theft. The fact that they need to pay to monitor their credit or take other actions to protect their identity creates sufficient grounds for damage awards.
Businesses must use reasonable procedures to secure data in their possession. The procedures must be documented in writing and be tested or audited on a periodic basis. There is no way to guarantee that an organization will not become a victim of a data breach, but good internal controls can reduce the risk of becoming a victim of this type of fraud.