All around the world, data breaches are a growing problem that organizations have to deal with. In recent years, the number of data breaches across the United States and Europe has continued to go up. What’s more, the numbers are unlikely to be going anywhere but up in the near future.
Because of the GDPR, CCPA, and other privacy laws, data breaches aren’t only an embarrassment anymore, either. Having personal data leak can lead to serious consequences in terms of fines, as well as a substantial loss in reputation. As a result, organizations have significantly ramped up cybersecurity expenditure in recent years. In 2021 - 2025, that expenditure is expected to exceed $1.75 trillion ($350 billion average per year). A steep rise for an area that saw only $3.5 billion invested in 2004.
Aside from security, how an organization handles itself in the aftermath of a breach is vital to both its reputation and potential costs. When it comes to personal data leaking, the data privacy laws obligate organizations to act quickly. As is typical when it comes to these laws, non-compliance can be severely penalized. What’s more, since fines and the like are made public, the potential cost of a data breach can be reputational as well as financial.
In this article, we will discuss specifically how a company that’s been breached can best handle what comes next. What must be done in the aftermath of a data breach, what timeframes must be kept in mind, and how can an organization do all that it’s required in the time provided?
What is a data breach?
The most obvious types of data breaches are leaks and hacks. These are clear and obvious instances in which personal data has been lost or stolen. A leak is usually a consequence of human error. Too much information can be sent to the right person, or any information can be sent to the wrong one. In both cases, if personal data is involved, this constitutes a data breach. Hacking is even more straightforward: a cyber-criminal gains illegal access into a system and steals data.
However, data breaches are not always that obvious. In the 2021 guidelines of the European Data Protection Board (EDPB) we are reminded that according to GDPR breaches take three distinct forms:
- Confidentiality breach - where there is an unauthorized or accidental disclosure of, or access to, personal data;
- Integrity breach - where there is an unauthorized or accidental alteration of personal data;
- Availability breach - where there is an accidental or unauthorized loss of access to, or destruction of, personal data.
Leaks and hacks fall under confidentiality breaches. Unauthorized access (hacking) would also potentially lead to an integrity breach. Availability breaches are a bit more complicated, and broaden the scope of what constitutes a data breach significantly. They would include the loss of a device containing sensitive information and ransomware attacks. There’s been no explosion in the number of devices being lost, but ransomware attacks are very much on the rise. According to a report by Check Point, the number of ransomware attacks nearly doubled in the first six months of 2021.
Lest we immediately run for the panic button, not all losses of availability need be considered full-on data breaches. Article 34 of GDPR specifies that a loss of access doesn’t need to be treated as a data breach in certain cases. There are two conditions that can negate this.
- The implementation of appropriate technical and organizational protection measures. In particular, measures that render the data lost unintelligible to any person not authorized to access it (i.e. encryption);
- If following the breach, steps have been taken to ensure the risk posed to the rights afforded by GDPR are no longer likely to materialize. According to Article 29 Data Protection Working Party, this applies when an organization is able to identify and take action against an individual who has accessed personal data before they were able to do anything with it.
If these conditions are met, the organization need not immediately notify the individuals whose data has been breached. This does not absolve the organization of reporting the breach internally and to the relevant Supervisory Authority, however.
The Challenges of dealing with data breaches
When a data breach occurs, organizations must report this breach without undue delay, at most within three days (72 hours). This means that from the moment an organization becomes aware of a breach, speed is of the essence. To report a breach of personal data to the authorities and analyze what risk the breach caused for individuals, data protection officers need to know what has been lost:
How many individuals were affected?
How many data sets were affected?
What type of data was affected?
In addition, Art. 33 GDPR requires the organization to provide an estimation of potential consequences of the breach and a description of measures taken or proposed to prevent adverse effects. Such information can be made in advance to apply to various scenarios, but applicability depends on the nature of the breach.
When large sets of data are exposed, it can be difficult for a Data Privacy Officer (DPO) to ascertain these facts manually. If a large dataset of unstructured data is lost, discovering what was lost is a daunting task. This makes it difficult to mitigate the risk appropriately.
How technology and tools help deal with data breaches
When it comes to preventing breaches, a strong combination of policy and technology needs to be in place. The nature of cyber-attacks and the human capacity for error, likely means that no amount of effort will do the trick. When prevention fails, technology can help DPOs make sense of what was lost quickly.
For one, fact-finding tools such as ZyLAB ONE allow users to identify relevant pieces of information in a fast and accurate manner. By taking advantage of a range of search options, users are able to find email addresses, banking information, and any other piece of information that follows a set template. Personal identification numbers, Social Security Numbers and other PII, for instance, can be quickly found using such methods. Using proximity search, pieces of information can be found near to one another, creating some degree of structure in the dataset.
By finding where the pertinent information exists in the unstructured mass of data lost, a DPO is able to review that information first. This allows for a much faster response since it isn’t necessary to wade through many pages of irrelevant data to find the important bits. This allows more time to determine appropriate next steps, which helps to minimize the impact of the data breach.
Conclusion: saving face
The potential damage of a data breach extends further than only the immediate financial cost. Though it is certainly tempting to gesture at the fines handed out by Supervisory Authorities, that number only tells part of the story. Reputational damage can have long-lasting effects on the business’s future. As such, how an organization reacts after a breach is perhaps even more important than the breach itself.
In many ways, having the technology in place to handle the aftermath of a breach is crucial to avoid making a bad situation worse. Having such tools at the ready helps DPO’s to better deal with the aftermath of a data breach. It also helps to identify holes and shortcomings in the security policies or follow-through. If you would like to discuss what fact-finding technology can help you achieve, don’t hesitate to reach out.