Media reports and surveys are revealing the extent to which organisations are vulnerable to the effects of data security breaches

Cyber risk

In an era when everything, from cars to nuclear reactors, is increasingly operated by computers and when so much of what we do every day - shopping, banking and socialising – is done electronically, it is no surprise that digital information has become so valuable and that criminals and mischief-makers are being drawn to the cyber world.

As a result, accidental data loss (such as the inadvertent publication of material on the internet or an unencrypted laptop being left on a train) can cause a range of legal problems for organisations. Regulators are, therefore, becoming increasingly involved in the realm of electronic data storage.

The scale of the problem is evident when you consider the number of cyber threats reported during just one week at the end of May. A wave of potentially destructive computer attacks emanating from Iran struck American corporations, and a Syrian organisation launched a cyber attack against the water distribution system of Haifa (Israel’s third largest city).

$300bn annual losses

Meanwhile, annual losses from the theft of US intellectual property were estimated to be on a similar scale to the US’s total exports to Asia (at about $300bn a year) and a Californian court dismissed a lawsuit brought against Delta Airlines for failing to comply with the California Online Privacy Protection Act by not properly disclosing the data collection and user policies associated with its Fly Delta smartphone app.

Add to that the UK’s Sunday Mirror newspaper reporting that thousands of confidential patient records had been stored outdoors on a pallet in an industrial estate; Costa Rica and Peru bringing new data protection regulations into force; a Turkish group allegedly hacking into Ohio’s Akron Canton Airport website; and hackers attacking Saudi official websites, and it is obvious that the problem is widespread and global.

In the UK, the Department for Business, Innovation & Skills (DIS) recently published its 2013 information security breaches survey. This revealed that the number of breaches affecting UK businesses was continuing to increase. It revealed that, over the previous year, 93% of large organisations and 87% of small businesses had reported security breaches. The median number of breaches for a large organisation was 113, with the average cost of the worst incidents between £450,000 ($695,000) and £850,000.

Most security breaches were caused by criminals, ‘hacktivists’ and competitors, but many were the result of failures in technology, processes and people. There appeared to be an increasing number of breaches related to social networking, smartphones and tablets, which suggests that businesses are failing to keep up with the way in which their employees are working. In the UK, for example, 87% of large organisations allow mobile devices to connect to their systems remotely.

The BIS survey also indicated that 83% of large organisations and 75% of small ones had confidential or highly confidential data in the cloud - and they were beginning to experience security or data breaches affecting their
cloud-based services.

Protecting your business
Risk managers are increasingly aware of the need to obtain cover to protect against data security breaches. Cover can include first-party exposure, such as loss or damage to digital assets, business interruption, cyber extortion, reputational damage and theft of money and digital assets; and third-party exposures, such as security and privacy breaches, breach investigations, customer notification, defamation claims, breach of privacy, negligence and loss of third-party data.

Overall, the statistics suggest there is a correlation between the amount organisations spend on security and training, and the number of breaches they suffer. With cyber-attacks growing in frequency and intensity, it is becoming vital for organisations to protect themselves through a combination of training, security and insurance.

Tim Smith is a defamation partner and head of the media and technology team at Berrymans Lace Mawer