Dive Brief:
- The financial services industry contributed 62% of exposed data in 2019, though it accounted for 6.5% of data breaches, according to a report from data protection company Bitglass, compiled from data by the Identity Theft Resource Center (ITRC) and the Ponemon Institute.
- Capital One was a leading contributor to the amount of compromised data this year, following its data breach, announced in July, that exposed the personal information of 106 million customers. The bank hadn't suffered a breach since 2014. American Express and SunTrust suffered the most breaches since 2009, with five each.
- Across industries, financial services has the second-highest cost per breached record, behind health care. An average breach in financial services costs $210 per record, while a "mega breach," like Capital One's, can cost up to $388 per record. In health care, a breach can cost $429 per compromised record, according to the report.
Dive Insight:
Data breaches are forcing companies to harmonize security and privacy practices.
The California Consumer Privacy Act took effect Jan. 1, and as with the European Union's General Data Protection Regulation (GDPR), consumers have right to action following a data breach. The California law also affords companies a 30-day grace period to correct its violations.
Banks have a higher expectation for fast breach response than other companies. Two-thirds of consumers would stop doing business with a bank and switch to a competitor if the breach response was slow or ineffective, according to a September survey from credit reporting company Experian.
Less than one-fifth of companies feel confident they can inform privacy regulators of a breach within 72 hours, according to data from Ponemon Institute and McDermott Will & Emery.
An improperly configured firewall allegedly allowed a former employee of Amazon Web Services, Capital One's cloud partner, to access the data. The bank said it fixed the issue once it was discovered and disclosed the breach within days.
Hackers have an abundance of firewall flaws they can choose to exploit, but security flaws don't always lead to "reportable breaches" under privacy regulations. Unavailable systems or inappropriate security use don't fall under the purview of breaches worthy of reporting, according to Ponemon Institute.