It is increasingly in the news: data leaks and data breaches. Whether it is within the government, in a hospital or on web shops, every organization has to deal with it. The Dutch Data Protection Authority received about 24,000 reports of data breaches last year and the number of hacking, malware or phishing incidents increased by 30%. But what exactly is a data breach?
What is a data breach?
A data breach is when confidential, personal, or other sensitive information is leaked into an insecure environment. Data breaches can occur accidentally or as a result of deliberate attacks.
Millions of people are affected by data breaches each year. They range from doctors accidentally viewing fake patient medical records to full-scale attempts to access government computers and steal sensitive information. Data breaches are a major security risk because sensitive data is constantly transmitted over the Internet. This continuous flow of information allows attackers to attempt data breaches against virtually any individual or organization, anywhere. Companies around the world also store data in digital form. Servers where data is stored are often vulnerable to various forms of cyberattacks.
Data breach according to the GDPR
According to the privacy law or GDPR, they speak of a data breach when a third party has gained unauthorized access to sensitive personal data such as credit card numbers, bank account details and health information.
The most common examples of data breaches are:
- Data sent to the wrong recipient (by e-mail or post)
- Lost papers or devices such as phones, tablets, and USB sticks
- Hacking, malware, or phishing
Who is typically targeted for data breaches?
Large enterprises are prime targets for attackers trying to cause data breaches because they provide a huge paload. This payload can include millions of users’ personal and financial information, such as login information and credit card numbers. All this data can be resold on the underground market.
However, attackers target anyone from whom they can extract data. Any private or confidential data is valuable to a cybercriminal – usually, someone in the world is willing to pay to get it.
Reporting Data Breaches
The GDPR is very broad on what a data breach means, but more specific on how to deal with it. Article 33 of the GDPR is entitled “Notification of Personal Data Breach to Supervisory Authorities” and lays out in clear language the due process in the event of a personal data breach. The company must report the breach to the relevant supervisory authority within 72 hours of his becoming aware of it.
Reports to supervisory authorities should include some specific information, such as:
- The nature and scope of the data breach (including, where possible, data categories, number of individuals affected, and number of personal records affected);
- Contact information for your organization’s data protection officer or other contact points;
- Possible Consequences of Violations
- That the business intends to do to address the breach and limit the threats
Notifying a data breach
When a data breach has been reported on time, there are no further problems to worry about. However, if the security is not in order and the data leak has been reported too late, this can lead to an investigation and a fine for insufficient security. A fine for reporting late with a poorly secured website can lead to a fine of up to ten million euros or 2% of the organization’s annual global turnover.
Data Breach vs Data Leak
Data breaches often involve intentional and malicious actions to gain access to secure data. This includes cyberattacks such as phishing and ransomware. On the other hand, a data leak is the result of an accident in which data is accidentally exposed. This can happen with poor data security and hygiene, outdated systems, and lack of staff training. The line between breach and data leak is blurred. The conditions that allow a cyber-attacker to carry out a data breach are often present in data breaches.
Data Breach Response Plan
No organization is immune to data breaches. Even if a company is confident in the security of its business, it’s still a good idea to invest in an up-to date data breach response plan before it becomes a problem. The details of your response plan will vary depending on the needs of your organization. Fortunately, there are checklists that serve as a solid guide to most data breach response plans. The Australian Information Commissioner’s Office has compiled a guide that you can follow. Make sure your response plan includes:
- Your organization’s definition of a data breach is and how your employees can identify it.
- Well-defined process and chain of command for reporting data breaches.
- Roles and responsibilities of each member of your data breach response team.
- Plans to deal with different types of data breaches with varying degrees of risk involved.
- Ideas for assessing the success or failure of your mitigation efforts.
- A plan to notify affected individuals, law enforcement and supervisory authorities of violations.
- Completing documentation and record keeping procedures.
- List of your obligations after breach of insurance policy, service agreement and any other third party contract.
- A plan to investigate, identify, and eliminate any procedural or security breaches that lead to a data breach.
- Regularly test and evaluate your data breach response plan
In the coming years, the amount of data will grow even further. When more information moves to the cloud, cyberattacks will become more common. Employees need to know what a data breach is, what to do if they come across one, and what the possible consequences may be of not reporting it to the Data Protection Authority. Nixon Digital Services helps you map your digital landscape, so you can be assured of sustainable changes that prevent privacy issues and data breaches.