Corporate Data Breaches Reported by a Third of In-House Counsel

A third of all in-house counsel report that their companies have suffered a data breach, according to a new survey released by the Association of Corporate Counsel. The larger the company was, the more likely it was to experience a breach. The most common causes were employee error and "inside jobs."

But, perhaps because of the high rate of data breaches, many companies are now taking greater steps to protect themselves and their data, though gaps in protection remain.

Everyone's Losing Their Data

The survey, conducted by the ACC Foundation, queried more than 1,000 corporate lawyers on their experiences with cybersecurity. A third of them had experienced a data breach. Almost half of those, 47 percent, were recent, occurring during 2014 or 2015. Larger companies seemed to be more vulnerable, with 45 percent of in-house counsel at companies with over 5,000 employees reporting breaches.

A little over half of the breaches were discovered internally. Corporate IT departments spotted the breach 44 percent of the time, compliance departments 14 percent. The rest of the breaches were brought to the company's attention by third party vendors, government agencies, or other outside sources.

Who was behind the breaches? Usually, it wasn't malicious external forces. Twenty-four percent of breaches were because of employee error and nine percent were the result of lost devices. Fifteen percent were "inside jobs." Those numbers aligned with a spring study by Baker Hostetler which found that most data breaches are caused by human error.

Traditional hacking like phishing, malware, and ransomware was responsible for just nine, seven, and one percent of breaches, respectively.

The Good News and the Bad

If there's a bright spot in the survey, it's that the increase in data breaches has lead to greater emphasis on cybersecurity, especially in the legal department. Fifty percent of GCs and CLOs want to increase their role in cybersecurity protection, according to the report. And in companies that have had a breach, 74 percent instituted at least minimal changes to address the risks. Those changes often involve turning to industry standards for cybersecurity best practices. According to the Association of Corporate Counsel:

In-house counsel were most likely to report following standards issued by the National Institute of Standards and Technology (NIST) and Statement on Standards for Attestation Engagements (SSAE) in the United States, while International Standardization Organization (ISO) standards were more common in Canada, EMEA (Europe, the Middle East and Africa) and Asia Pacific.

But the survey also revealed gaps in responses. Though employee error was the most common source of a data breach, less than half of respondents had mandatory IT training programs. Further, only 56 percent of in-house attorneys reported that they're companies were increasing spending on cybersecurity efforts.

Related Resources:

• Mandatory Data Breach Reporting Rules Finally Agreed by EUrocrats (The Register)
• Corporate Lawyers Are the Easiest Lawyers to Phish (FindLaw's Technologist)
• How to Phish Your Law Department Before the Hackers Do (FindLaw's In House)
• In-House Attorneys' Game Plan for Data Breaches and Cybersecurity (FindLaw's In House)