According to the 2019 Mid-Year QuickView Data Breach Report, the first half of 2019 saw 3,813 data breaches involving 4.1 billion records. The majority of those records — 3.2 billion, or nearly 75% — were exposed in just eight mega-breaches. Email data was exposed in 70% of the breaches, and passwords in another 65%.
Risk Based Security, which compiled the report, concluded that data breaches are getting worse rather than better, with this year’s numbers representing a more than 50% increase over last year’s. Meanwhile, Yahoo’s data breach resolution is working its way through settlement proceedings, DoorDash saw 4.9 million customer records leaked, through an “unauthorized third party,” and 5.3 million credit and debit card accounts were exposed through a malware attack at Hy-Vee supermarkets and gas stations.
It’s not just major stores or social media giants that are at risk. While “many businesses wrongly assume they are too small to be on the radar of the threat actors[, t]he truth is that it is all about the data, and small businesses often have less well-guarded data stores.” In short, if you have valuable data, someone is probably trying to access it.
According to statistics compiled from UK data, human error remains the biggest factor, with 60% of data breaches reported in the first half of 2019 the result of simple mistakes. Of those, about half (43%) were caused by incorrect disclosures, with about 20% mistakenly sending data to the wrong recipient.
The risk of cybersecurity attacks has been increasing every year. IBM’s CEO recently called cybercrime “the greatest threat to every company” not just in the U.S. but also globally. Indeed, hackers keep hitting sensitive political, financial and legal targets.
Generally, when legal teams don’t aggressively protect their data, they play with fire. That’s because legal departments manage the type of sensitive information, especially during discovery, that hackers want. Rather than comb through a company’s entire database for useful information, hackers can zero in on the legal department to hit a jackpot of valuable assets.
As you’re building your technology stack, remember that the best, most sophisticated purpose-built software in the world doesn’t help you if your overall data system is not secure or if your employees aren’t careful. That means that each component must be rigorously defended and your people must be well trained and constantly vigilant. Data breaches may be getting worse, but we can all do better to protect ourselves — and our clients and customers — from them.
Choose Your Partners Wisely
Don’t assume that your data will be secure in the hands of ediscovery vendors, third-party service providers, or law firms. Audit any ediscovery partner both before retaining its services and periodically, perhaps annually, thereafter. The vast majority of ediscovery professionals overlook this critical step; only 19 percent conduct security audits with their ediscovery service providers. In addition to audits, ask the following questions:
- Where will you store ediscovery data?
- How do you protect that data at rest and in transit? Ensure that the partner uses adequate encryption methods and other security measures, such as firewalls.
- Who is allowed to access data, and from where or on what type of device? How do you control that access? Look for login credentials, pre-employment screening, and reliance on Tier 4 data centers.
- How do you monitor your systems to detect unauthorized access?
- How do you test and audit your security, and how often do you self-test?
- What is your policy for reporting breaches to customers? According to the American Bar Association’s 2017 Legal Technology Survey Report, only 11 percent of breached law firms notified their clients of those breaches. Include a specific breach-notification policy in your master service agreement.
- To assess security measures rapidly, ask what certifications the partner has obtained.
- Best-in-class security certifications include SOC 2 Type 2 and ISO 27001. Be sure that the partner protects data both within its application and in its hosting.