Because of the sensitive information they hold in trust, lawyers should be very concerned about the security of their data. What can they learn from The Identity Theft Resource Center’s (ITRC) 2019 End-of-Year Data Breach Report? Digital Detectives hosts Sharon Nelson and John Simek welcome David Ries to discuss the details of the report, trends lawyers should be aware of, and the ITRC’s recommendations for data breach victims.
David Ries is of counsel in the Pittsburgh, PA office of Clark Hill PLC, where he practices in the areas of environmental, technology, and data protection law and litigation.
Special thanks to our sponsor, Logikcull.
Your Opinion Matters
Help us make your favorite shows better by completing the 2022 Listener Survey.
The 2019 Data Breach Numbers Are In – What Are They and What Do They Mean for 2020
Intro: Welcome to Digital Detectives, reports from the battlefront. We will discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches; not theory, but practical information that you can use in your law practice, right here on the Legal Talk Network.
Sharon D. Nelson: Welcome to the 112th edition of Digital Detectives. We’re glad to have you with us. I’m Sharon Nelson, President of Sensei Enterprises, a digital forensics cyber security and information technology firm in Fairfax, Virginia.
John W. Simek: And I’m John Simek, Vice-President of Sensei Enterprises. Today on Digital Detectives our topic is The 2019 Data Breach Numbers Are In – What Are They and What Do They Mean for 2020.
Sharon D. Nelson: Before we get started, I’d like to thank our sponsors. Thanks to our sponsor Logikcull, instant discovery software for modern legal teams. Logikcull offers perfectly predictable pricing at just $250 per matter per month. Create your free account at any time at logikcull.com, that’s logikcull.com/ltn.
John W. Simek: Today our guest is Dave Ries, who is of counsel in a Pittsburgh, PA office of Clark Hill, PLC where he practices in the areas of environmental, technology and data protection law and litigation. For over 25 years, he’s increasingly focused on cyber security, privacy and information governance.
Dave frequently speaks and writes nationally on legal ethics, technology and technology law topics. And as usual Dave, it’s great to have you back with us again.
David G. Ries: Thanks John. I’m glad to be back. I always enjoy it.
Sharon D. Nelson: Well today Dave, we’re going to talk about the Identity Theft Resource Center’s 2019 End-of-Year Data Breach Report and I’m guessing that a lot of our audience has no familiarity with the report or the Identity Theft Resource Center. So why don’t you clue them in.
David G. Ries: Okay well the Identity Theft Resource Center, it goes by ITRC, is a nonprofit that does two things. It supports victims of identity theft in resolving their cases and second it provides public education and awareness in identity theft, data breaches, cybersecurity, scams and privacy issues.
So it helps and provides information. It operates a Victim Assistance Call Center so that people who are victims of identity theft or have had their information compromised can call and get free help. It also has a lot of online resources in addition to the call.
It’s sponsored by some tech companies like Google and LexisNexis. It’s also sponsored by the U.S. Department of Justice’s office for Victims of Crime. So its website is idtheftcenter.org.
John W. Simek: Well David sounds like it’s somewhat familiar with some of the other security and the breach reports that I know you and I and Sharon are constantly reading up on but can you give us a little more insight on the kinds of information that it collects and it reports on.
David G. Ries: Sure. So it focuses on consumer data breaches so ones that expose or compromised personal information about consumers. The other ones are much broader. So it collects a lot of different kinds of information about breaches, how they happen and what kind of information was exposed in them. It started in 2005 and that’s when California’s Data Breach Notice Law, the first one in the country, took effect and companies had to start reporting data breaches in which defined kinds of consumer information was exposed.
So the Resource Center started then collecting information on every breach that it could find through media sources and government agencies to which breaches were reported has kept a running list of breaches since then and periodically summarizes and reports on trends and things of that nature.
It has two types of reports in addition to this Summary Annual Report. It has the Running Data Breach Report that lists each individual one and those are posted weekly and then about quarterly it pulls the statistics together from them and then annually, summarizes them in the kind of report like we’re discussing today.
Sharon D. Nelson: Are there other organizations Dave that collect and report on the same kind of information?
David G. Ries: I think at this point, we’re down to the last one on this specific kind of information. There were three of them and one might still be springing back. So the original one was called the DataLossDB or Data Loss Database and it collected the same kind of information I believe that it stopped updating it in 2015 so it’s by the side now.
The Privacy Rights Clearinghouse has collected and reported similar information. It was current until fairly recently when you go to its website now, you can still download a spreadsheet type database with all of the information but the analysis and statistics aren’t there.
It says that it’s rebuilding so that one may come back. In addition the FBI’s Internet Crime Complaint Center, IC3, and the Federal Trade Commission collect this same kind of information but they just published summary statistical reports. You can’t go to them a lot like you can in this one and the DataLossDB and the Privacy Rights Clearinghouse and get each incident by list with available information about it.
And as John mentioned, there’s some other security reports like 00:06:27, SamTrans and Verizon’s Data Breach Investigation Report but those don’t take each data breach with consumer data and list them in order and collect the information. They focus on other areas.
John W. Simek: So Dave, the big question is what is the End-of-Year Data Breach Report?
David G. Ries: All right, well it’s basically a summary of the information that was collected during 2019 and a comparison of it in terms of numbers and trends to 2018. It’s a 237-page PDF document most of those pages are the list of each individual data breach on which they collect that information.
The first 24 pages which are the overview and summary have some really good graphics and charts and provide an overview of the information but the lists, the detailed list in most of the pages takes each data breach, the type of information was compromised, the industry it was in, how the breach happened, and the type of information that was exposed or compromised.
So it’s a pretty interesting report to those of us who delve into this area. For someone who doesn’t want to delve into the details, the original pages with the charts and graphics provide a lot of useful information.
Sharon D. Nelson: Well I have a feeling that for our podcast we’re going to stick pretty much with the first 24 pages too, that’s where the highlights are, right?
David G. Ries: That’s right. You don’t want me to start randomly reading heavily from the rest of the pages and put us all to sleep and turn the audience off.
John W. Simek: But if I know you Dave you’ve probably have already gone through all 200 plus pages.
David G. Ries: Skim through, I certainly haven’t read through and reviewed them in detail. So one of the interesting things that happened was that in 2019, the number of data breaches was up by 17% from 2018 and last year, it asked the question because there had been a decrease from 2017 to 2018, are we going to see a trend of decreasing number of breaches or are we going to see level off or increase or what?
Well the trend of decreases was a short-lived trend because 2019 was up by 17% in the number of breaches and the business sector was the most — had the most breaches in both years.
One of the interesting things despite the increase in number of breaches from 2018 to 2019, there was a 50% drop in the overall number of records exposed. So it was kind of interesting and just to put two numbers out there, I don’t want to keep reading off numbers in a oral podcast.
In 2019, they were 1473 breaches that was up from 1257 in 2018 but sticking more with the percentages, an interesting point in 2019 despite the incidence, the number of breaches going up, there was a 41% drop in consumer personally identifiable information was exposed.
So the number of breaches went up but the number of records exposed went down. The report noted that 2018 was kind of skewed because it included the Marriott Starwood breach that had a very high number of records compromised and that’s one of the interesting things when you look at these statistics over the years, one or two really big data breaches in a particular year can just totally define the numbers for that year but really doesn’t show anything about a trend.
Another thing that is a distinction in the report, it distinguishes between the number of breaches involving records that are actually breached that someone unauthorized actually got access to them and records that were just exposed because we just jumping out of the report for a minute, we have seen a lot of reports in the last year of large online databases like in Amazon Web Services or others being exposed because they weren’t properly configured or default password for use and things of that nature.
So anybody who looked for it and found it could get access to it, a lot of times they are found by security researchers so there may not have been an actual breach of the data but it has been exposed and that’s one of the highlights of this report pointing out that difference and breaking numbers down.
John W. Simek: Well before we move on to our next segment, let’s take a quick commercial break.
Sharon D. Nelson: 10 years ago eDiscovery meant lawyers packed into a basement, fumbling with complex slow software, wondering where their lives had gone wrong. Today not much has changed. That’s why Logikcull is putting an end to eDiscovery. Logikcull is simple, powerful, instant discovery software, designed to make you hate document review less. Create a free account today by yourself, with no human interaction at logikcull.com/ltn. That’s logikcull.com/ltn.
Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today our topic is “The 2019 Data Breach Numbers Are In – What Are They and What Do They Mean for 2020?” Today our guest is Dave Ries who is up counsel in the Pittsburgh Pennsylvania Office of Clark Hill PLC where he practices in the areas of environmental, technology and data protection law and litigation.
John W. Simek: Dave can you tell us a little bit about the report — does report the types of information that were compromised?
David G. Ries: Yes it does. It breaks information down into two general categories. What it identifies as sensitive information and non-sensitive information and then it takes each of the types of businesses that it reports on and breaks down the number of records of sensitive information and non-sensitive information that has been exposed. Now I wouldn’t exactly categorize it this way personally but it classifies as sensitive things like Social Security Numbers, financial accounts, driver’s licenses, passports, I agree those are sensitive.
What it calls non-sensitive are email addresses, usernames and passwords and in some circumstances it may be non-sensitive, I’d probably call it less sensitive because if you have users who unfortunately used the same usernames and passwords across the board, even if it is a site that has non-sensitive information that may get an attacker into something that does have sensitive information. So I view the non-sensitive with more caution than just categorizing it is as non-sensitive.
Sharon D. Nelson: Dave I certainly agree with you that that should be classified passwords and user IDs those should be classified as less sensitive maybe but certainly not non sensitive and for the reasons you state but let’s go on and talk about how these breaches break down by industry, that’s always a great source of interest to folks.
David G. Ries: Yes. So it breaks industries down into five categories. First is business and it reported 644 breaches in that category.
Second is medical/healthcare and it reported 525 in that category. Next is education with 113 breaches reported, fourth is banking, credit, financial with a 108, and finally government/military with 84. So it seems like the government and military may be doing better than in past years. I didn’t go back and look at it but my general impression is that those numbers were higher in some of the past years.
One of the interesting notes that goes with this is that virtually all of the non sensitive records that were compromised were in the business category. And that was over 705 million non sensitive records compromised in all the other categories other than business, it was only a hundred thousand so something that went with those industries, but for people who are interested in looking at the actual numbers and how they fit together, I recommend looking at the first part of the report because again it has some good graphics and charts that that highlight everything.
John W. Simek: So Dave can you tell us a little bit about and I assume that they did this in the report was the breakdown by the methods that were used as part of the breach?
David G. Ries: Yes and I’m looking now at one of the charts, so it has a list of the method of the attack and it breaks them down into seven categories and then it goes across and has each of the categories of breached entities and gives the number for each of them. So again if people want to delve into it that handy chart will give you a lot better explanation than I could talking with without any graphics.
But the categories are hacking and intrusion that one includes phishing, ransomware and malware and skimming of credit cards. Next is unauthorized access. Third is employee error or negligence or improper disposal and lost devices, that’s kind of a broad category but that’s one of them and then accidental web or Internet exposure physical theft, insider trading and finally data on the move. So that’s the seven categories that they have.
The one with the largest total across the board is the hacking and intrusion. Next is unauthorized access and then at the bottom are the insider theft and data on the move. It’s interesting the total on those two bottom ones is fewer than 60, the total on hacking intrusion is 577 incidents so big spread in the methods by which they did it.
Sharon D. Nelson: Yeah that’s for sure and I know you’ve taken a look at this report a lot more intensively than John and I have so what do you think are the lessons from this report as we’re now a couple months into 2020?
David G. Ries: Well a couple of lessons I mean first in terms of what’s going to happen in 2020, I don’t think it really gives us a clear indication because of the statistics have changed. It certainly tells us that the data breaches are going to occur, they’re going to affect all industries, they are going to involve the various methods, the two highest as I pointed out were the hacking and intrusion and unauthorized access so for businesses and organizations that are defending their consumer data, those are the places to go. I would suggest also depending on which industry a business or organization is in or the folks advising them, look at what’s happening in your particular industry, it’s part of a threat assessment to look at what’s happening to the kind of data that you have in terms of updating your defenses in your cybersecurity program.
For individuals it tells us or them that they’re going to continue and we need to protect ourselves against it, we always tell our clients or when we’re teaching we tell our audiences the importance of an incident response plan. One of the lessons to me from this report is that a consumers need them too, at least have an idea what you’re going to do if your date is breached or you become a victim of identity theft, certainly know where to go for information much spreaders and scrambling at the last minute after there already is something you have to respond to.
John W. Simek: Well Dave I guess the last question here and maybe the big takeaway is what recommendations does the ITRC have for victims of data breaches?
David G. Ries: All right that’s carrying right forward from my last point about each of us having our own or our families incident response plan. If you go to their homepage they have a link that says, I need help. So that’s a good place to go.
John W. Simek: Is your phone number there?
David G. Ries: And it breaks it down into 9 different categories depending on what’s happened. So for someone who is a victim of identity theft, of a criminal identity theft, elderly, children, government, just a general category of identity theft, military, medical, across the board for various one, so you go there, you click on the particular link and it gives you guidance for what you should do in the event of a data breach.
It also recommends going to another site which is the Federal Trade Commission’s Identity Theft Resource Center, which has a lot of similar information, its identitytheft.gov. So without going into the details which I’ll do in a minute those are the places to go for information. So just having that ready can take you a long way toward protecting yourself.
So the steps that both of these sites tell you to do in different order depending on exactly what’s been compromised, it’s one thing if new accounts have been opened using your social security number then if you just get a notice that your credit card number has been compromised because the actual fraudulent identity using your social security number is extremely dangerous.
The credit card is very easily controllable by getting a new credit card number, but you notify the business or organization that’s involved notify the Federal Trade Commission, notify local police and get a report then you have evidence that you’ve been a victim and you have something that you can submit to creditors or others who you may need to deal with.
Place a fraud alert on your credit report with all three of the major credit agencies or alternatively establish a credit freeze which basically closes your account for new credit, get a copy of your credit report and review it and periodically get them and monitor them and then finally remediate the particular account that’s involved.
So the Identity Theft Resource Center a lot of people don’t know about it, they have fairly good marketing but most of the time that I talk to people who are victims, they don’t know about it and haven’t heard anything about it. So it’s a great resource for victims.
Sharon D. Nelson: Well actually I think Dave this entire podcast has been a great resource for victims as well as for all of us who are involved in this kind of work or trying to learn more about it. So thank you as always for being willing to be our guest and this was an especially important report. So it was nice to have you available to talk us through it and we look forward to seeing you in a couple of days at ABA Tech Show.
David G. Ries: Yes.
John W. Simek: Well that does it for this edition of Digital Detectives and remember you can subscribe to all the editions of this podcast at legaltalknetwork.com or an Apple podcast. And if you enjoyed our podcast please rate us on Apple podcast.
Sharon D. Nelson: And you can find out more about Sensei’s Digital Forensics Technology and cybersecurity services at senseient.com. We’ll see you next time on Digital Detectives.
Outro: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on legaltalknetwork.com and in iTunes.