For more than three decades, NW3C has worked to support the efforts of state and local law enforcement to prevent, investigate and prosecute economic and high-tech crime. Dr. Gerald Cliff, the center’s research director, shared some statistics that underline the importance of proactive measures.
“Defenses will depend on the various types of data breaches a governmental entity is attempting to protect itself against: almost half (48.32 percent) of reported breaches in the governmental sector occur through preventable means,” he said. “Hacking, or unwanted electronic incursions into the IT system, only accounts for 20.44 percent while the combined categories of unintended disclosure (27.15 percent) and hostile insider (20.44 percent) account for 48.32 percent of data breaches reported in the governmental sector.”
According to Cliff, the best way to minimize or reduce such intrusions is “through policy and training, enforcement of rules regarding the authorized use of access to confidential databases and double checking the everyday administrative duties of staff to assure that there are no oversights through carelessness.”
Similarly, complacency can mean significant losses. As the aforementioned statistics indicate, the majority of data loss could be prevented through easy and cost-effective methods. In Cliff’s opinion, it comes down to proper training and placing emphasis on adherence to agency policy.
It also never hurts to assume the worst. In Cliff’s words, “It can generally be assumed that if an entity maintains a database of confidential information, there will be some form of data breach it will become a victim of.” That said, decision makers should plan for the inevitable before it happens so that damage is able to be minimized and recovery time kept at a minimum. Something as simple as having an emergency plan in place in the event of a cyber intrusion or data breach, Cliff said, can significantly mitigate the costs of such an event.
Another common oversight that can lead to substantial financial loss for a governmental entity is the failure to include data breach coverage in its insurance policy. The cost of hiring programming and digital forensics experts, purchasing software to prevent or recover from a cyber attack, tracking the origin, investigating the incident to identify the perpetrator and then attempting to prosecute all come with significant price tags. Depending on the number of individuals’ personal information compromised, these costs could prove “financially devastating,” Cliff added.
Speaking of devastating, Cliff cited specific data that shows just how these types of attacks can be to both public and private entities. He pointed out that although his organization does not know of one single entity tracking the costs of governmental data breaches, there are organizations that track the costs of data breaches in general. For example, IBM and the Ponemon Institute partner on a yearly basis to conduct a review of the number of data breaches and the costs of recovery from them, he said. The results are published in the “2015 Cost of Data Breach Study: Global analysis.”
“Although the report seems to focus on the topic in global and very general terms, we can see no reason why the cost of a data breach to a governmental entity would be any the less than a data breach to Target, Anthem or Sony,” he said. “That 2015 report indicates that the cost of a data breach has risen from $145 paid for each lost or stolen record containing sensitive and confidential information last year to $154 per lost or stolen record containing personally identifiable information in 2015.”
Taking these figures into account, it’s fairly easy to determine potential losses to government entities, according to Cliff: “All one needs to do to estimate the potential costs of a data breach to their respective municipality, is multiply the number of taxpayers whose names, dates of birth and social security numbers exist in their local database of taxpaying residents of their community.”