!!INSTALL!! Download: The State Of Security Breach Protection 2020 Survey Results
Ponemon Institute was founded in 2002 by Dr. Larry Ponemon. Headquartered in Michigan, Ponemon Institute is considered the pre-eminent research center dedicated to privacy, data protection and information security policy. Our annual consumer studies on privacy trust are widely quoted in the media and our research quantifying the cost of a data breach has become valuable to organizations seeking to understand the business impact of lost or stolen data.
Download: The State of Security Breach Protection 2020 Survey Results
The aforementioned facts and figures show that the data assets of individuals and organizations are at risk. Even more alarmingly, the healthcare industry in particular is being targeted by attackers, and is therefore the most vulnerable. Thus, data privacy and confidentiality has become a serious concern for both individuals and organizations. Healthcare data are more sensitive than other types of data because any data tampering can lead to faulty treatment, with fatal and irreversible losses to patients. Hence, healthcare data need enhanced security, and should be breach-proof. In this study, our main concern was to investigate the healthcare data breaches reported or published by different eminent and authentic sources. We aimed to examine the causes of these breaches and use the results to improve healthcare data confidentiality. The analyzed factors that lead to healthcare data breaches will be addressed in our future research work to improve healthcare data confidentiality.
Validating models is essential for producing accurate results. Our estimates were validated using three different methods. First, cross-validation analyses were conducted within the dataset. The dataset was divided into two sets of respondents, with one part used to run the model and the other kept aside for validation. The model estimates were then compared to the results of the set aside respondents to directly quantify the percentage of correct answers the model predicted. These cross-validation tests were repeated multiple times using different sample sizes and dividing the data in different ways. Second, the model estimates derived from the full dataset were compared to the results of independent, representative state- and city-level surveys conducted in California, Colorado, Ohio, Texas, San Francisco, and Columbus, Ohio in 2013. The mean absolute difference between model estimates and validation survey results was 2.9 percentage points (SD = 1.5) among the four states (CA, TX, OH, CO) and 3.6 percentage points (SD = 2.9) among the two metropolitan areas (Columbus, OH, and San Francisco, CA), well within the margins of error for the survey results alone (at a 95% confidence level). Estimates have also been validated internally through a series of technical simulations. Third, some model estimates were compared with third-party survey data collected by other researchers in previous years.
For the 2021 model estimates, uncertainty ranges are based on 95% confidence intervals using 999 bootstrap simulations. These confidence intervals indicate that the 2020 model is accurate to approximately 7 percentage points at the state and congressional district levels, and 8 percentage points at the metro and county levels. Such error ranges include the error inherent in the original national surveys themselves, which is typically 3 percentage points.
The states that have mandated data broker registration generally do not require a specific description of relevant data processing activities. California makes it optional for the data broker to provide within its registration any information concerning its data collection practices (Cal. Civ. Code 1798.99.82). Vermont, in contrast, is more demanding and requires registrants to disclose information regarding consumer opt-out, whether the data broker implements a purchaser credentialling process, and the number and extent of any data broker security breaches it experienced during the prior year. Where data brokers knowingly possess information about minors, Vermont law requires that they detail all related data collection practices, databases, sales activities, and opt-out policies (9 V.S.A. 2446).
Penalties are statute- and fact-specific. Under HIPAA, for example, monetary fines can range from US$100 to US$50,000 per violation (or per record), with a maximum penalty of US$1.75 million per year for each violation. By way of example, in 2020, the HHS and the attorneys general of 42 states entered into a US$39.5 million settlement with a health insurer in relation to a data breach affecting the health records of over 79 million individuals. Marking the current high point for enforcement, in 2019, a company agreed to pay a record penalty of at least US$575 million, and potentially up to US$700 million in a data breach settlement reached with the FTC, the CFPB, 48 states, the District of Columbia, and the Commonwealth of Puerto Rico.
State Attorneys General also played a key role in bringing enforcement actions under specific state laws in 2021. For example, in March 2021, 41 Attorneys General entered into an agreement with a medical debt collection agency following major 2019 data breach, which affected up to 21 million individuals across the United States. Under the agreement, the agency is required to implement and maintain a number of data security practices and may be liable for a US$21 million payment to the states if the agency violates the agreement.
We anticipate that the following topics will remain hot over the next year: state-level consumer data privacy law initiatives will continue to proliferate as more states move laws through their legislatures, possibly driving action at the federal-level, including possible rulemaking proceedings by the FTC; issues surrounding the collection and protection of biometric information (especially in relation to student privacy); consumer access to financial relief and other remedies when their data protection rights are violated, even in the absence of a showing of harm; issues surrounding AdTech and targeted behavioural advertising; issues relating to automated decision making fueled by artificial intelligence and machine learning; an increased focus by legislators and regulators alike on cybersecurity issues, particularly in the wake of data breaches and ransomware attacks involving significant technology vendor software and industrial operations; and targeting of cryptocurrency and digital assets such as non-fungible tokens by cybercriminals.
The reality for security today is that security leaders have too many tools. Gartner found in the 2020 CISO Effectiveness Survey that 78% of CISOs have 16 or more tools in their cybersecurity vendor portfolio; 12% have 46 or more. Having too many security vendors results in complex security operations and increased security headcount.
Every state has voting system safeguards to ensure each ballot cast in the election can be correctly counted. State procedures often include testing and certification of voting systems, required auditable logs, and software checks, such as logic and accuracy tests, to ensure ballots are properly counted before election results are made official. With these security measures, election officials can check to determine that devices are running the certified software and functioning properly.
The GDPR has been considered a bellwether for data-privacy regulation. Even in Europe, policy makers are seeking to enact additional consumer-privacy measures, including the ePrivacy regulation (an extension of GDPR), which focuses on privacy protection for data transmitted electronically. Its status as a regulation (rather than a directive) means that it could be enforced uniformly across EU member states. The ePrivacy regulation is likely to be enacted in 2020.
Yahoo believed that a "state-sponsored actor" was behind this initial cyberattack in 2014. The stolen data included personal information such as names, email addresses, phone numbers, hashed passwords, birth dates, and security questions and answers, some of which were unencrypted. Yahoo had become aware of this breach back in 2014, taking a few initial remedial actions but failing to investigate further. It was only about two years later that Yahoo publicly disclosed the breach after a stolen database from the company allegedly went up for sale on the black market.
The California Department of Insurance is a lead state in the multi-state combined financial and market conduct examination. The financial and market conduct examinations will investigate all aspects of the data breach. A major component will include analyzing Anthem's information technology systems to determine what protections were in place and what actions could have been taken to minimize data losses.
Penalties: In 2020, The Home Depot paid a $17.5 million settlement for this breach. The company also agreed to upgrade its security training and program and hire a chief information security officer. Additionally, it agreed to undergo a post-settlement security assessment to evaluate the implementation of new security measures.
Security investment continues to rise: More than 80% of our survey respondents say their budgets have increased in the last year. IT security budgets are now up to 15% of all IT spending, 5 percentage points higher than reported in 2020.
The main fieldwork for the 2020 ACAPS survey was conducted immediately prior to the COVID-19 outbreak in Australia. The outbreak had an impact on attitudes to privacy with half (50%) of Australians considering that their privacy is more at risk in a COVID-19 environment than usual and almost half (48%) being more concerned about the protection of their location information than they were before the outbreak. Overall, more Australians feel comfortable than uncomfortable with the protection of their personal information while using digital services at home during the COVID-19 outbreak, whether it is for work, studying or personal use.
The main fieldwork for the 2020 survey was conducted immediately prior to the COVID-19 outbreak in Australia. The response to the COVID-19 pandemic was rapid and actions taken by government, businesses and individuals had implications for privacy. In response to the pandemic, an additional privacy survey was conducted in early April, several weeks after the first physical distancing rules were applied in all Australian states and territories, to understand the impact of these events on Australian attitudes to privacy.