BakerHostetler Data Security Incident Response Report Shows Human Error is More Often to Blame

Findings highlight employee negligence as primary factor in majority of cases; No industry is immune; Enhanced detection capabilities critical

May 7, 2015

4 Min Read


New York (May 7, 2015) – Human error was the number one cause of data security incidents according to a new report released today by the Privacy and Data Protection Team at BakerHostetler. In the incidents that the firm worked on last year, employee negligence was responsible 36% of the time. That was followed by theft by outsiders (22%), theft by insiders (16%), malware (16%) and phishing attacks (14%).

The BakerHostetler Data Security Incident Response Report provides insights generated from the review of more than 200 incidents that the law firm advised on in 2014. It looks at the nature of the threats faced by companies, as well as detection and response trends, and the consequences that follow. BakerHostetler’s award winning Privacy and Data Protection team is one of the nation’s largest and most comprehensive practices, providing incident preparedness and response services,  privacy compliance counseling, and litigation and regulatory defense.

The full report can be found here:

The report also makes clear that no industry is immune from threats to its sensitive information. Industries represented in the report include education, financial services, retail, insurance, technology, entertainment, hospitality and, in particular, healthcare sectors. While healthcare topped the chart of industries affected, that is due in part to strict data breach notification laws that all healthcare providers must follow.

“It is important for companies to understand that data security is not just an issue for retailers, financial firms and hospitals. Incidents do not only occur at businesses that have payment card data or protected health information,” said Theodore Kobus, co-chair of BakerHostetler’s Privacy and Data Protection team. “Privacy and data security issues are firmly entrenched as a significant public and regulatory concern and a risk that executive leadership and boards of directors must confront.”

Rapid Response is Critical

The BakerHostetler Report shows that incidents were self-detected 64% of the time. Of the incidents reported by a third party, 27 % were due to theft. According to BakerHostetler, a quick response to an incident is important for several reasons, including creating the opportunity to stop an attack in its early stages before sensitive data is accessed, preserving available forensic data to enable a precise determination of what occurred, and generating affirmative evidence to help the company respond in a way that protects  affected  individuals and minimizes potential financial and reputational consequences.

Detection Times Must be Shortened

For incidents that involved identifiable dates of detection and notification, the average amount of time that elapsed from incident occurrence to detection was 134 days. Many of the incidents the firm worked  on involved protected health information, and on average notification was made within 50 days of the time the company became aware of the incident (notification is required within 60 days of discovery when PHI is involved).

Among the other notable statistics in the report are:

  • Not all security lapses involved the theft or hacking of electronic records. Of the incidents included in the report, 21 percent involved paper records

  • 58% of the incidents required notification of affected individuals – based on state breach notification laws

  • Credit monitoring was offered in 67% of the incidents

  • In 75 incidents where notification letters were mailed, only five of the companies faced litigation by potentially affected individuals

  • Attorneys General were notified in 59 cases, resulting in inquiries 31% of the time. Multi-state inquiries were initiated less than 5% of the time

  • For incidents involving stolen payment card data, PCI Data Security Standards fines for non-compliance ranged from $5,000 to $50,000 per matter. Initial demands for operating expense and fraud assessments ranged from $3 to $25 per card involved

“While sophisticated software and monitoring/detection systems have become more widely adopted, our data suggests that many security breaches still result from low-tech missteps. Chief information security officers should combine general security awareness training with state-of-the-art data security architecture to minimize vulnerabilities,” said Gerald Ferguson, co-leader of BakerHostetler’s Privacy and Data Protection Team.

“Our analysis shows that best-in-class cyber risk management starts with awareness that breaches cannot be prevented entirely, so emphasis is increasingly on defense-in-depth, segmentation, rapid detection and containment, coupled with ongoing effort to monitor threat intelligence and adapt to changing risks,” added BakerHostetler Privacy and Data Protection Team partner Craig Hoffman.


About BakerHostetler
One of the nation’s leading law firms, BakerHostetler helps clients around the world to address their most complex and critical business and regulatory issues. With five core national practice groups – business, employment, intellectual property, litigation, and tax – the firm has more than 900 lawyers located in 14 offices coast to coast. BakerHostetler is recognized for its role as court-appointed counsel to the Securities Investor Protection Act (SIPA) Trustee in the recovery of billions of dollars in principal lost in the Ponzi scheme perpetrated by Bernard L. Madoff. Additionally, BakerHostetler is widely regarded as having one of the country’s top 10 tax practices, a nationally recognized litigation practice, data privacy practice, and an industry-leading middle market business practice. For more information, visit


Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights