2016 has been called the “Year of the Data Breach,” earning that title by surpassing previous years in both the number of breaches reported and in the number of records compromised. Yahoo’s announcement in September that 500 million user accounts had been compromised, followed up by the announcement in December that an additional 1 billion user accounts had been exposed, was one of the most heavily publicized and was featured at the top of many lists compiling the biggest breaches of 2016. But there were many other breaches that exposed millions of data records involving PII and PHI – just look at the number of the listings appearing on the US Department of Health and Human Services Office for Civil Rights’ so-called “wall of shame” for 2016.
This is the time of year we start seeing compilations of the biggest breaches from the previous year. From these breaches we can draw on common factors and identify a few trends in the biggest disclosures of regulated data last year.
Privacy and the Internet of Things
New and emerging technologies surfaced new and emerging vulnerabilities to exploit in 2016 – a prime example being the botnet attack in September that took over IoT devices to launch a DDoS attack against Dyn, a domain name system provider. The attack effectively shut down major consumer websites such as Netflix and Twitter for a day, drawing wide attention from the public in the process. When it comes to privacy and the Internet of Things, an incident involving data collected from an IoT device should be treated like any potential privacy incident – with a multifactor risk assessment to determine whether the incident is a data breach that should be reported.
The Proliferation of Ransomware Attacks
Ransomware is type of data breach that has particularly plagued healthcare organizations, and was featured heavily in Healthcare IT News’ article 10 of the worst health data breaches of 2016. The rising prominence of this type of attack has prompted the Department of Health and Human Services’ Office for Civil Rights to issue new guidance on this type of attack. The well-publicized Hollywood Presbyterian attack in particular received a lot of attention from the media, as one of the largest publicized attacks of its kind at the time. The hospital paid $17,000 in bitcoin to regain access to their systems.
Rising Public Awareness of Privacy Issues
With data breaches increasing in size and number, the public is becoming increasingly aware of the threats to their private data and the companies that have been compromised. A Pew Research Center survey released last year indicated that Americans are becoming more anxious about their privacy and the technologies that capture and store their personal data. A recent Wired article cites a number of states that actually help you figure out if you’ve been hacked, specifically noting “nearly every US state (47 to be exact) requires companies to disclose when a breach affects their residents, and most track this data internally. That data is usually a public records request away from you, the consumer, who could actually use it to inform your digital habits.”
Increased public awareness of privacy and security issues doesn’t have to be a bad thing, according to Fahmida Y. Rashid, Senior Writer at InfoWorld. In a recent article 5 signs we’re finally getting our act together on security, Rashid referenced the TV show “Mr. Robot” as an indicator that the public has a growing awareness of privacy and security issues, and are closer to understanding why they need to pay attention to security basics. And if you haven’t seen Mr. Robot, it is quite fascinating with disturbing implications for privacy in our digital age.
Privacy and Security Professionals: Reflecting on the Past, with an Eye On the Future.
The saying “those who cannot remember the past are condemned to repeat it” rings especially true in the fast-paced world of information security and privacy. A privacy or security professional’s career is built on analyzing data, looking for existing trends, accounting for and mitigating anomalies or vulnerabilities, all while keeping a trained eye on the future and what might be coming next.
We can’t be certain what the future may hold, but we can do our best to be ready for any eventuality. Here is a good place to start:
- Understand the difference between an event, and incident, and a breach – and what the implications are for your obligations to notify
- Identify your core and extended incident response team, their roles and their responsibilities in the event of a privacy incident
- Know the ins and outs of a multifactor risk assessment, what must be documented, and what mitigating factors might come into play
If you aren’t paying attention to the past, your data – and the trust your clients place in your organization – will be at risk.