BakerHostetler Report Reveals Employee Negligence is Primary Cause of Security Breaches
Download PDF
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

A report recently released by BakerHostetler shows that employee carelessness was a leading cause of security breaches in 2014.

Summary: A report recently released by BakerHostetler shows that employee carelessness was a leading cause of its clients security breaches in 2014.

BakerHostetler’s Privacy and Data Protection team has released a report stating that the primary cause of its clients’ security breaches in 2014 was human error. According to CSO Online, employee negligence was a primary cause of breaches in 36 percent of its clients’ cases. Outside theft was responsible for 22 percent, insider theft for 16 percent, malware for 16 percent, and phishing for 14 percent of the breaches. The data is based on over 200 incidents, and, although the sample size of the group is fairly small, the numbers reflect what bigger reports have also found. The chair of the U.S. Securities and Exchange Commission, Mary Jo White, has said that cyber-attacks against the United States are the “biggest risk we face,” according to Bloomberg.


No industry is immune to such a breach, but the healthcare industry suffered the most incidents in 2014, primarily due to strict notification requirements.

BakerHostetler just added a 30-attorney team to its firm.

The healthcare industry is followed by retail and hospitality, financial services, professional services, and education in the amount of breaches suffered. Although the healthcare industry had the largest number of incidents, the types of incidents that hit the professional services industry were the most severe in nature.

Get JD Journal in Your Mail

Subscribe to our FREE daily news alerts and get the latest updates on the most happening events in the legal, business, and celebrity world. You also get your daily dose of humor and entertainment!!

Are you surprised that employee negligence is the primary cause of these breaches?

View Results

Loading ... Loading ...

The report read, “While PHI incidents are disclosed more frequently, driven in part by HIPAA presumption that a breach occurred, the severity when measured by number of affected individuals is often less (many incidents affect less than 10 people). It is also not surprising that professional services and retail/hospitality services providers top the list when it comes to severity. And because incidents affecting these sectors often require forensic investigation and draw more media coverage, the cost and potential financial consequences are dramatically higher on a per-incident basis.”

Interestingly, most incidents are not self-detected, but BakerHostetler’s clients discovered the breaches 64 percent of the time.

Most of the clients dealt with electronic breaches, but 21 percent were paper-related, which is not surprising, considering most medical offices and law firms use paper records.

In 2013, the firm merged with Woodcock Washburn.

Most of the clients offered credit monitoring after the breaches occurred. The report noted, “Whether paper or electronic, the data at risk that led to the decision to notify in 58 percent of our incidents was data subject to state breach notification laws, such as Social Security or driver’s license numbers and financial account information. Health information was affected in 34 percent of the incidents and eight percent involved payment card data.”

As for regulatory action, less than five percent called for multi-state inquiries, and just 59 cases required notifying the state attorney general. According to the Wall Street Journal, new laws are being proposed that would not require companies to disclose minor breaches.

Retail clients suffered fines and assessments from four credit card brands that ranged from $5,000 to $50,000. The initial demand for fraud assessment and operating expense ranged from $3 to $25 per card.

Legislators met to discuss online security after was hacked.

Gerald Ferguson, the co-leader of BakerHostetler’s Privacy and Data Protection Team, said, “While sophisticated software and monitoring/detection systems have become more widely adopted, our data suggests that many security breaches still result from low-tech missteps. Chief information security officers should combine general security awareness training with state-of-the-art data security architecture, to minimize vulnerabilities.”

Clearly, humans are still the highest risk for such breaches, and the issue unfortunately does not have a simple fix.

Source: CSO Online

Photo credit:






Search Now

Senior Antitrust Associate Attorney

USA-CA-San Diego

San Diego office of our client seeks Senior Antitrust Associate Attorney with 7 years of experience....

Apply Now

Senior Antitrust Attorney


Seattle office of a BCG Attorney Search Top Ranked Law Firm seeks Senior Antitrust Attorney with 9 y...

Apply Now

Patent Attorney


Washington, D.C. office of a BCG Attorney Search Top Ranked Law Firm seeks Patent Attorney with 1 ye...

Apply Now


Family Law Attorney

USA-CO-Fort Collins

Divorce Matters, is a rapidly growing Law Firm with multiple offices throughout Colorado. Our Firm i...

Apply now

Commercial Transactions Attorney


Kang Haggerty & Fetbroyt LLC is looking for a Commercial Transactions Attorney licensed to practice ...

Apply now

Immigration Bond Attorney

USA-CA-Los Angeles

Do you want to help vulnerable immigrants in detention find a way out to fight their cases while rem...

Apply now

Associate Attorney (5+ years)

USA-NV-Las Vegas

Overview:  Tyson Mendes is seeking an experienced litigation associate to join our team of a...

Apply now

Most Popular


To Top