While the Target, Home Depot, Anthem and Office of Personnel Management breaches, among other large breaches, get most of the headlines, according to Travelers Insurance, 62% of all breaches hit small and medium size companies. Those statistics only cover the 34,000+ known incidents per day that are reported. Many more are undetected or intentionally not reported for a variety of reasons according to NetDiligence.
And, even if you store your data in the cloud, the cloud service provider will not, except in some very rare cases, assume all liability for a breach. In many cases, they assume no liability at all.
Just today three items came across my desk regarding breaches and none of them were big companies.
- Central Ohio Urology Group, a medical practice with 29 physicians and physician assistants lost over 100,000 Word and PDF documents to a Ukrainian hacker. They know it was a Ukrainian hacker because because he or she displayed some of the data on a web site. Depending what was in those 100,000 plus documents, we may have both a privacy breach and a HIPAA breach. The company’s web site does not mention the breach, but the phone system has a recording that says that they are investigating “possible criminal activity”. While 29 employees makes this somewhat large for a physician group-possibly, as a company, that likely makes it smaller than a single local fast food location.
- Jefferson Medical Associates, a 16 physician group in Maryland, said that a server holding prescription information was accessed by “an unauthorized individual” (AKA a hacker) about June 1. They say that they don’t think that the hacker intends to use this data, although they don’t say why they believe that. While investigating this hack, they discovered that this hacker, or other hackers, accessed this system multiple times between March 2014 and June 2016, a period of over two years. This hack affects around 10,000 customers. Since this is also a medical practice, and prescription information was taken, this likely is both a HIPAA and privacy breach.
- The Third incident reported today was an online retailer named EZcontactsUSA.Com, an online seller of contact lenses and sunglasses. They have settled with the New York Attorney General and agreed to pay a fine of $100,000 over losing control of 25,000 credit cards. In this case, the site was hacked in August, 2014 and their bank told them they had a problem in June, 2015 – almost a year later. They did hire a forensics company who discovered and removed malware, but apparently they decided that they didn’t need to notify their customers (this falls into the category at the beginning of the article where it talks about intentionally not reporting breaches). They did advertise their site as 100% safe and secure – which I would recommend no one say. The AG said that they also did not implement reasonable security precautions in general.
So if we look at these companies, all three of which came across my computer today, none of them are name brand companies. None of these companies had even 50 employees. Likely none of these companies had a large IT team. Or a cyber breach response plan.
Yet all of these companies will likely spend, at least, a hundred thousand dollars, if not significantly more, dealing with these situations.
My guess is that none of these firms had cyber risk insurance – I don’t know, but I speculate – so all of them will be writing large checks from their own checkbooks.
For those business executives who think they are too small to be attacked – the three companies above had 29, 16 and around 40 employees. Likely these companies also thought they were too small to be attacked and they are now paying the price for that incorrect thinking.