How to Prepare for and Respond to a Data Privacy Breach


Before I started covering cybersecurity, I thought the term “breach” had one meaning: that an attacker stole data from a computer system. I also thought that all the different versions of the word meant the same thing.

However, I have since learned the nuances and differences between a breach, a data breach, and a data privacy breach. The difference is significant. Misclassifying an offense can lead to a violation of a law or non-compliance with regulations without knowing it.

Privacy regulations, such as the General Data Protection Regulation (GDPR) or state-specific laws, specify how an organization must respond to a privacy breach. Failure to comply properly can mean fines and more negative publicity. According to Gartner, the personal data of 65% of the world’s population will be protected by modern privacy regulations by 2023, a significant increase from 10% in 2020.

Breach, Data Breach or Data Privacy Breach?

Compliance with data privacy regulations depends on understanding the terms.

The general term “breach” or breach of security means that a person who is not authorized to access a computer system has done so. However, this only refers to the act of gaining access to systems, not really data theft.

During a data breach, information was accessed – and likely stolen – from the systems that were hacked.

In the event of a data privacy breach, the personal information accessed is personally identifiable information (PII). The Department of Homeland Security defines PII as any information from which a person’s identity can be directly or indirectly inferred. This includes any information that is linked or can be linked to that person. Examples include sensitive financial and personal information. This can be social security information, bank account numbers, personal health data, or credit card information.

Businesses facing a data privacy breach must adhere to all relevant privacy rules that protect each person’s stolen information. For example, if only one customer resides in the European Union, the company must follow the reporting protocol defined by the GDPR. Many companies offer identity theft protection, free credit reporting, and credit monitoring to consumers facing a data privacy breach.

Just to be a little more confusing, the media and consumers often use the term data breach to refer to both data privacy breaches and general data breaches. However, from a privacy regulatory perspective, the distinction is important. If an attacker gains access to proprietary company data, such as information about an upcoming product, it is a data breach. On the other hand, if they steal employee social security numbers, the incident is a data privacy breach.

Discover the 2022 Cost of a Data Breach Report

Violations involve lengthy payback and costly fines

One of the main keys to reducing damage after a data privacy breach is speed of response. To respond to data subject access requests (DSARs), many organizations use automation such as a SOAR solution. With this technology, companies improve teamwork and speed up their response through automation. Most importantly, these platforms ensure repeatable and consistent processes. These are often a challenge during times of high stress following a breach.

Many organizations assume that after following their response protocols, the worst effects of the breach are behind them. But the SEC can still find the victim at fault and levy hefty fines. First American Financial Corporation was fined $487,616 related to a vulnerability that exposed sensitive customer information. The impact was even greater for Pearson plc, a London-based publishing company which agreed to pay $1 million to settle charges of misleading investors about a cyber breach in 2018. Data privacy breach affected millions of student records. It included birth dates and email addresses. The organization did not have adequate disclosure controls and processes.

In addition to fines, the non-commercial impact of a violation can be significant. The IBM 2022 Cost of a Data Breach reports lost business costs average $1.42 million in customer churn, downtime and new business acquisition costs. Other costs include detection and escalation ($1.44 million), breach response ($1.14 million), and notification costs ($270,000).

Prevent privacy breaches

Organizations need strong privacy policies, processes, and tools to manage data privacy and reduce vulnerabilities. By correctly identifying and using specific rules for handling sensitive data, you can manage data better. This is especially important for those using hybrid cloud environments, as they need to ensure that each environment meets the standards.

In some cases, separate teams manage privacy and security. Cybersecurity workers focus on data protection. The privacy team works on data policies, such as collection, storage, and deletion. However, security and privacy, in terms of practices and regulations, are intertwined. By ensuring the two work together, organizations can both reduce their risk of a breach and improve their response to a privacy breach.

The IBM 2021 Cost of a Data Breach named zero trust as one of the most effective ways to reduce the cost of a breach. Companies with mature zero trust processes reported breaches costing $1.76 million less per breach than those without zero trust. The principles and strategies of a zero trust framework reduce both vulnerability and the impact of a breach. For example, multi-factor authentication reduces the likelihood of unauthorized access, and identification and access management (IAM) reduces that access from insider attack. Additionally, microsegmentation limits the damage of a breach because attackers can only access a very small portion of the network and data.

Many experts say it’s not a question of whether an organization will face a data privacy breach, but when it will happen. Reducing vulnerabilities is the first step in preparing for a data privacy breach. Be prepared to respond to a violation. This way you can limit and reduce both costs and reputational damage.

Source link


Comments are closed.