The Most Common Causes of Data Breaches in Highly Regulated Industries
Organizations in highly regulated industries struggle to keep up with changing requirements, with 62% of risk executives saying that policy shifts in technology and data are leading to the most change in their business. Not only must these organizations comply with industry-specific regulations and general data protection regulations, but they must also defend against the constant threat of a data breach.
Consider the most common causes of data breaches in highly-regulated industries in order to acquire appropriate protection and avoid costly breaches.
What Is a Data Breach?
A data breach is a confirmed exposure of confidential, sensitive, or protected information to an unauthorized source. Data breaches can be deliberate or accidental. The response to a data breach involves an escalation of security protocols to eliminate the threat, notification of affected parties, repair of harm caused, and restoration of service.
Cost of a Data Breach
The average global cost of a data breach is $4.24 million, and highly-regulated organizations suffer even higher costs in the subsequent years than those in low-regulation environments.
The total cost is also largely dependent on how long it takes to restore service after a threat has been detected. Data breaches with a life cycle of less than 200 days from detection to containment cost organizations 29.7% less than data breaches with a life cycle of more than 200 days.
What Causes a Data Breach?
Some data breaches are due to internal failure or error, but most involve malicious outsiders exploiting a vulnerability to gain access.
Using data found or stolen from devices such as laptops, phones, USB drives, or hard drives
Using trial and error to discover passwords, encryption keys, or hidden web pages
Practicing human-to-human deception
Using fear and urgency to trick people into revealing personal, sensitive, or protected information
Assuming a false position of power in order to deceive people into revealing information
Installing malicious software designed to conduct a particular behavior, such as exploring network vulnerabilities
Stealing or blocking access to data, then demanding payment in exchange for returning control
Distributed Denial of Service (DDoS)
Overloading and disrupting a particular server, service, or network with a flood of excess traffic.
Types of Regulation
Governments around the world are developing regulations to control the collection, access, sharing, and storage of data. Some industries are subject to more regulations than others.
In the EU and the UK the use of all data is governed by a General Data Protection Regulation (GDPR.) Both locations have established an Information Commissioner’s Office (ICO), which actively enforces this general regulation, performing audits and assessing fines to non-compliant organizations operating within their borders.
Across the US, organizations are also subject to increasing amounts of state-specific legislation. California may have been the first state to enact comprehensive privacy protection legislation in the form of the California Consumer Privacy Rights Act (CPRA) and California Consumer Privacy Protection Act (CPPA) but Utah, Connecticut, Colorado and Virginia have already followed suit. Each of these four states has major privacy legislation that will come into effect during 2023.
Industry-Specific Standards and Regulations
In the US, only certain types of data are protected, such as health data or financial data. Private sector organizations that handle protected data may be subject to any or all of the various laws and regulations surrounding data protection.
NIST Cybersecurity Framework
Documented adherence to the NIST cybersecurity framework is a contractual obligation to conduct business with the federal government. Lack of compliance can lead to contract termination for federal contractors and agencies.
Outside of the federal government, compliance with either framework is voluntary and unmonitored. Although the most recent version of the framework is not even five years old, NIST is already in the process of revising and reissuing the framework, emphasizing the ever-changing nature of the cybersecurity landscape.
The Payment Card Industry Data Security Standard (PCI DSS) was developed by major credit card brands. Recurring compliance verification is required to continue accepting payments, and severe financial penalties are levied on organizations found to be non-compliant in the wake of a data breach.
Federal law does not require institutions to adhere to this standard, although some states may have similar requirements.
The Department of Health and Human Services is the regulatory body responsible for enforcing the Health Information Portability and Accountability Act across the United States, that protects patients’ data privacy. Violations incur a minimum fine per record of $120, while the maximum fine for misuse of a single record is $60,226.
Consumer information security in the US is governed by the Gramm–Leach–Bliley Act (GLBA), which is enforced by the Federal Trade Commission (FTC). Companies that do not comply with GLBA can be fined up to $100,000 per violation. Officers and directors can face up to five years in prison for the most serious violations, in addition to being fined up to $10,000 per infraction.
Reported violations of the privacy law protecting student educational records in the US are investigated by the Department of Education, which can revoke federal funding from educational institutions that fail to comply.
The FTC and the Consumer Financial Protection Bureau share joint responsibility for the enforcement of the investigating complaints and punishing violators of the Fair Credit Reporting Act (FCRA). Fines range between $100 and $1,000 per violation.
The personal information of children under 13 is also protected by the FTC, which pursues court judgments against organizations suspected of violating the Children’s Online Personal Protection Act (COPPA). Court-assessed penalties are costly, up to $46,517 per violation.
Operators who fail to comply with this legislation governing electronic communications can be fined up to $250,000 and/or sentenced to five years in prison. In addition to prosecution by the US Securities and Exchange Commision, violators of the Electronic Communications Privacy Act (ECPA) may also face civil suits.
The Office of the Attorney General enforces the California Privacy Protection Act (CPPA). Unintentional violations carry a maximum penalty of $2,500, while each instance of misuse determined to be intentional could cost up to $7,500.
Data Breaches in Highly Regulated Industries: Common Causes and Examples
Organizations that require the collection, access and storage of sensitive data are regulated according to the industry in which they operate. Attackers customize their approach based on the target’s resources, infrastructure, and access points, which are often dictated by industry standards or regulations. Therefore, it is possible to observe industry patterns in both the type of data targeted and the most common methods of attack, as well as notable exceptions to these trends.
US operators in financial services may need to comply with the requirements of multiple regulatory bodies, including the SEC, FTC, and the Financial Industry Regulatory Agency (FINRA).
Payment services companies that conduct business inside the European Union/European Economic Area are subject to newly updated specific regulations known as PSD2 and PSD-RTS in addition to GDPR.
Personal and bank information are two of the top three attack targets in the financial services sector, which also experiences significant credential theft. 58% of data breaches in the financial services sector are caused by DoS attacks.
However, internally-caused data leaks can be just as devastating as externally-initiated attacks. Although no evidence of theft or misuse was uncovered, a website design error at First American Financial Corporation exposed nearly 850 million consumer records. The organization was fined nearly $500,000 by the SEC.
Energy and Utilities
With the rollout of mandatory smart meters in Ontario and The Netherlands, concerns are being raised about data security and privacy in this industry. While industry-specific regulations haven’t been rolled out in the US, the energy and utilities space is likely to experience more oversight as it increasingly relies on the collection of consumer data.
While most attacks in the energy sector are financially motivated, 22% can be described as successful espionage. Attackers in this industry most often target credentials, and phishing campaigns are to blame in 60% of all breaches in the energy and utilities sector.
However, malicious insiders plague this highly-regulated industry as well. An engineer at GE convinced a colleague to grant him increased access within the digital environment, which he used to extract trade secrets, including elements of a computer program and commercially-sensitive calculations. In this case, the theft was detected, tracked, and proved, and GE was awarded $1.4 million in restitution.
HIPAA protects medical records and personal health information. Enforcement of HIPAA is carried out by the Department of Health and Human Services’ Office for Civil Rights.
The average cost of a data breach in healthcare is $9.23 million, more than twice the global average. While this industry has long been plagued by insider misuse, most healthcare data breaches are now caused by basic web application attacks. The main targets are personal and medical information.
One malware-based breach at a Texas healthcare facility affected 1.24 million users. The facility is currently under investigation for suspected HIPAA violations. Ransomware was used to access the data of an actuarial consultancy, who were forced to pay an undisclosed amount in exchange for non-disclosure of the information. The firm is now facing a class-action suit.
The healthcare industry is also vulnerable to physical breaches. Two hard drives were stolen from Brighton and Sussex University Hospital, exposing the data of an unknown number of patients. The Hospital was assessed £325,000 in fines after patient data showed up for sale on eBay.
Public administration activities carried out at the federal level must comply with the NIST cybersecurity framework.
Nearly 60% of public administration data breaches can be blamed on system intrusions. 80% of breaches in this sector are financially motivated while espionage is the intent behind 18% of attacks. Stolen credentials were to blame for an attack on the United Nations after the UN failed to enable two-factor identification (2FA) on its proprietary project management software. Attackers exploited this vulnerability and, once inside, captured additional credentials that have been linked to further attacks.
In the public administration sector, a simple mistake can quickly become costly due to the highly regulated environment. For example, the web application of a Texas government agency failed to protect the data of 1.8 million users. An HHS investigation revealed that no harm had occurred as a result of the exposure and that the agency had immediately removed the app upon discovery of the vulnerability. A $1,000 fine was nevertheless assessed for each day the app was in operation, totaling $1.6 million.
Insufficient employee training was determined to be the cause of one massive public sector breach. 20 terabytes of data, including the data from 17,000 court cases, were permanently lost after an improperly trained IT technician was allowed to attempt a cloud transfer. No malicious intent was uncovered on the part of the employee.
Organizations operating in the education sector must effectively defend themselves against attacks while maintaining regulatory compliance with FERPA regulations. In this industry, financially motivated attackers are most often pursuing personal data and credentials. 34% of cybersecurity incidents at educational institutions in 2022 were due to email errors, either attaching the wrong document or sending documents to the wrong email.
When education institutes across three countries were affected by a ransomware attack in 2020, over 20 class action suits were filed against Blackbaud, the third-party vendor blamed for allowing the data breach. Blackbaud estimates the cost of resolving the data breach to be $25-35 million.
When attackers target retail companies, credentials are usually the primary target, although payment data and personal data are also sought after in this industry. Stolen credentials allow threat agents to change permissions governing the installation of new software, and attackers take advantage of this–50% of data breaches in the retail sector involve malware.
Retail organizations are also susceptible to attack through their relationships with third-party vendors. In 2013, attackers gained access to Target through their HVAC provider, costing the organization a net loss of $202 million.
How to Prevent Data Breaches in a Highly Regulated Industry
Any organization in any industry can be attacked at any time, but certain sectors carry higher risks. Organizations involved in information technology or public administration, for example, experience more system intrusion attacks than their peers, while healthcare organizations are most often the target of basic web application attacks.
To help prevent a data breach, organizations subject to strict regulations must develop a comprehensive risk management strategy, automate compliance activities, and enforce a robust internal security policy.
1. Develop a Cybersecurity Risk Management Strategy
A well-rounded cybersecurity risk management strategy is the first line of defense for organizations in high-regulation industries. The NIST cybersecurity framework can be adapted for use in most contexts, with additional, industry-specific regulatory requirements added as necessary.
Elements of a comprehensive cybersecurity risk management strategy may include:
- A security solution that leverages advanced behavioral analytics to automatically protect the digital environment and prevent data breaches
- Identification/onboarding of a risk management professional
- Performance of regular risk assessments
- Responsiveness to risk assessment results
- Development and maintenance of security protocol documentation
- User education and integration of cybersecurity mindset into company culture
2. Automate Compliance with External Regulations Using a Compliance Management System
Compliance management systems are an invaluable time-saving resource for organizations. Look for products that automatically detect and categorize sensitive data including PHI, PFI, and PHI. OCR-capable solutions provide full coverage by scanning documents and images to find every piece of protected information.
Not only can compliance management systems automate sensitive data protection, but they also contain forensic features which can be used for verification of compliance or in the event of an audit. Immutable logs, session tracking, and risk reports form a picture of the compliance environment, while reports on security events demonstrate how the compliance management strategy is applied in real-time.
The rapidly shifting cybersecurity threat landscape requires regular revision of regulations. For example, the major credit card companies recently released the newest version of their data protection standards, PCI DSS v4.0, and the National Institute of Standards and Technology (NIST) is currently revising their widely used cybersecurity framework. Choose a solution with automatically updating, industry-relevant, pre-built compliance template rules to save time and guarantee compliance.
3. Track and Enforce Internal Security Policy with Advanced Threat Detection
Adherence to relevant industry regulations is necessary to avoid penalties, reputational damage, and loss of business, but compliance efforts must be supported by an organization-specific internal security policy to provide a secure digital environment. Software solutions that provide compliance management and advanced threat detection capabilities meet both internal and external needs in a single package.
At a minimum, choose a product that features endpoint encryption, intrusion prevention, and AI-powered automated threat responses. For the best protection currently available against a data breach, companies in highly regulated industries should seek tools that leverage advanced user and entity behavioral analytics (UEBA) to detect anomalies system-wide, and which perform regressive analysis on security behavior to generate intelligent risk assessments.
Organizations operating in highly regulated industries must do more than comply with minimum security requirements. In the event of a breach, documented adherence to a robust compliance management strategy may prevent regulatory fines and penalties but these and other post-breach responses amount to only 27% of the total cost of the average data breach.
While a compliance management strategy is a necessity for any organization operating in a highly regulated industry, it’s not enough to prevent a data breach. Additional, proactive cybersecurity solutions such as data loss protection and insider threat protection must also be implemented to adequately secure data.