Breaches: What to ExpectExperian's Mike Bruemmer Shares Industry Forecast for 2014
See Also: Dynamic Detection for Dynamic Threats
We will see more big breaches in 2014, and there is a fear that we all will give in to "breach fatigue," says Bruemmer, vice president of Experian Data Breach Resolution. These are among the points hammered home in Experian's new 2014 Data Breach Industry Forecast.
But what are the factors that make 2014 such a critical year for breach preparation? Bruemmer cites two: the advent of health insurance exchanges in the U.S. and pending data protection legislation in Europe.
"Since it looks like that will be the most significant legislation coming out of the EU, let alone the rest of the globe, there are a lot of people watching in anticipation of an update in the spring," Bruemmer says.
Good news: Bruemmer sees the actual cost of breaches going down, as organizations become more aware of the risks and what they can do to mitigate them. But with this increased awareness comes greater responsibility to be prepared.
"Organizations really have fewer excuses why they shouldn't be prepared," Bruemmer says. "It's much more cost-effective to prepare, to pay the price and invest up front, versus paying later."
In an interview about 2014 breach predictions, Bruemmer discusses:
- Impact on the average cost of a breach;
- Why we're likely to see more big, international incidents;
- The danger of succumbing to 'breach fatigue.'
Bruemmer is Vice President, ExperianÂ® Data Breach Resolution at Experian Consumer Services, the leading provider of online consumer credit reports, credit scores, credit monitoring, other credit-related information, and protection products. With more than 25 years in the industry, Bruemmer brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery, including notification, call center and identity protection services.
Breach Predictions for 2014
TOM FIELD: In your forecast, you said that 2014 is going to be a critical year for breach and incident preparation. What exactly makes this year unique?
MICHAEL BRUEMMER: Tom, I would cite a couple of things. From a global standpoint, there's the new pending legislation. We talked about it from a federal perspective in the United States, and I don't think 2014 will be the year when we have a federal data breach notification law. However, in the EU, I think the new pending legislation that's supposed to come about in the spring will happen, and there are some implications, not only in terms of the amount of time people will have from an organizational standpoint to notify regulators and affected parties, but also potential penalties that could go as high as two to five percent of worldwide revenue.
Second, I think is he implementation of all of the health insurance exchanges. I saw recently that over 1 million people have signed up for the new insurance, and you have 31 different exchanges out there, including the federal one. I think that's a lot of information to be input, transferred, and processed between the sites and the insurance companies. So I think that will make a unique year, particularly for healthcare, which happens to be the largest vertical service in terms of number of security incidents.
Cost of a Breach
FIELD: You see the price tag on the cost of a breach coming down this year. Why is that, and what are the potential ramifications?
BRUEMMER: Well, even on the illicit black market for identities, the laws of supply and demand actually apply as well. I think there are so many pieces of identify information or protected health information that price has actually gone down significantly. In fact, a recent Dell SecureWorks study said that from 2012 to 2013, the price for a full identity string has dropped from $40 to $28. So if those numbers are correct, I think that law of supply and demand is really driving it. I will also say that in addition to that influence of lower market demand, there is increased awareness, and people are less likely to not be prepared for a breach if they're aware that they're susceptible and they have a plan in place. Organizations, because of this lower cost, also will have fewer excuses why they are not prepared, because it's less expensive to prepare for them. They can get the budget, and, quite frankly, it's much more cost effective if you prepare up front than you pay the price on the back end.
FIELD: You see the potential for big breaches across borders in 2014. What are the factors that you weigh when you make this prediction?
BRUEMMER: The contributing factors that we see, of course, are the fact that consumers really are global. There's not a limitation because of not only the internet, but where large global corporations are headquartered. They have consumers all around the world. Second, data is being transferred where the company operates. And whether there are some protections like Safe Harbor between the EU and the United States, there are lots of companies that have a worldwide footprint and the data flows for those operations in fact are present. I'll also just point out one more fact, and I thought it was interesting, that in 1990 there were about 30,000 multinational corporations. Today, in 2013, that number has doubled, and it's supposed to be doubling again in the next five years.
FIELD: What can we expect to see now in the wake of HIPAA enforcement, and what do you see as the specific takeaways for other industries that are watching healthcare?
BRUEMMER: According to the latest report on the OCR website, since 2009 there have been a total of 87,597 complaints, and 25 percent of them have been resolved by investigation and enforcement. I think 2014 is going to bring a new wave of enforcement actions because of the final Omnibus Rule. I know we saw recently an article where a small doctor's practice had a large fine, over a million and a half dollars in total, but some of these examples are going to be surprising to people because it's not necessarily the size of the entity that's going to dictate the amount of the fine. It's the severity of the fact they either weren't prepared or, especially during the security incident, they failed to respond properly to not only the regulators, but to the affected parties. I think there will be some examples set by the OCR in terms of the severity of the fine and the breadth of the fine.
The second part of your question, for other industries how can they use the warnings: In particular, because of the new emphasis on business associates, or in terms of outside healthcare, the level of data breach preparedness that's required for those third-party vendors should be exactly the same as the main company or, in the case of healthcare, the covered entity. So what is good for the covered entity is also good for that business associate or third-party vendor. In fact, contracts should reflect that, and audits should enforce the fact that those standards are in place all across the ecosystem.
FIELD: What are the signs of breach fatigue, and why is it something we should be concerned about this year?
BRUEMMER: Well, breach fatigue simply means that people are becoming somewhat complacent to the letters or the notification emails that they receive about the breach of their personal identity information, or PHI. I think the concern that people should have is that at least one in four, and potentially one in three when the numbers are all compiled for 2013, Americans will receive a data breach notice, and in some cases people will receive multiple notices, and they're not becoming desensitized or taking advantage of the free resources to help protect themselves and get their information used.
There was a large HIPAA breach going on we serviced, and at the same time it coincided with a large core processor and a state department of revenue. So within the same geographic area over a 120-day period of time there were people that got at least three notifications about a breach of their identity. You're going to see more and more if the predictions are right for additional breaches where people are going to be getting these multiple notification letters. They need to take them all seriously, and it's not bad that if you have signed up for the identity theft protection from each one of them that you have in a sense duplicate coverage versus saying, "Nah, I have one, I'm not going to pay attention to the other because not all coverage is the same." They really have to pay attention individual incident by individual incident.
FIELD: What are some of the other key highlights that you want to share with our audience today?
BRUEMMER: I would say the most important change, that we haven't mentioned so far, is the spirit of cooperation that's happening between attorneys generals, and even the Office of Civil Rights, in terms of HIPAA and High Tech. And what I mean by this spirit of cooperation is: The enforcement officials are reaching out and saying to organizations, "Work with us beforehand, develop a relationship; we want to help you either before the incident or particularly during an incident, but you've got to give us a head's up and have that relationship."
The payout for this, quite frankly, is, if you have a relationship, if you're asking advice, if you're giving that regulator or that federal official a head's up to what's going on, more than likely they're going to be cooperative. They're going to help you through the incident and work with you so on the back end there aren't the fines, the enforcement actions and the penalties that would come because you didn't cooperate with them up front. I see that happening in the last couple months in 2013, and I think it's going to come into full force in 2014.
Insights Into Actions
FIELD: How should individuals and organizations put your insight into action?
BRUEMMER: You heard me say this before, and I don't mind being accused of acting or sounding like a broken record: Folks need to embrace that they will have a breach. It's not a question of if; it's a question of when. Have an incident response plan that is a live document, not just a bunch of checkmarks stuck in a binder on the shelf.
Finally, practice it. Do live drills. We've seen companies that actually didn't have a response plan the first time around, they put one together, they practiced it, they had another event, and the second event went much more smoothly not only for the company, but for the affected party. So there's payoff at the end of the rainbow, and I think those three things alone will help people tremendously as they go into 2014.