Personal data breach: what does it mean?
According to EU Reg.2016/679 GDPR Art.4, subsection n.12 (or General Data Protection Regulation), personal data breach means a break of security leading to destruction, loss, alteration, unauthorised disclosure of or access to people’s personal data, which are transmitted, stored or processed for specific illegal purposes. This, of course, includes both accidental and unlawful causes that we’re going to deepen later in this article.
A data breach occurs when a company is responsible for people’s personal data and suffers a security problem resulting in a violation in terms of confidentiality, availability or integrity. This issue may involve employees, customers, external contributors and stakeholders, who could be severely endangered by data breaches: therefore, especially in high risk situations, companies must inform the victims and immediately work on security measures to avoid the worst risks and recover as fast as possible.
Personal data breach: main causes of violation and consequences for companies
Dealing with personal data breach risk nowadays is part of everyday agenda for many companies, as the theft of personal information like identity documents, email addresses, phone numbers, personal pictures and of course banking and financial data is the very foundation of many other criminal activities over the Internet.
Let’s find out what are the main causes of personal data breach which affect companies leading to data violation:
- Human factor – taking into account that companies are made of people working together, and that people can make mistakes, it’s not surprising at all that human factor is among the main causes for personal data breaches. In fact, according to the World Economic Forum, even 95% of cyber security incidents occur due to human error (2022 Global Risks Report, p.45) as very often people use very weak passwords and security methods (forgetting about checking them periodically), make bad use of technologies and applications and don’t mind too much about sharing confidential information or leaving personal and/or work devices around. This easily gives more chances to cyber criminals to break through individuals and companies Internet borders, such as documents, databases and security systems, stealing personal data and information to commit other crimes;
- IT attacks – indeed cyber criminals not only take advantage of human mistakes, but keenly rely on different types of IT attacks in order to infect devices and applications, steal data and information, take control of databases and documents, spy activities remotely and get unauthorised access to private platforms like websites, bank accounts and social media. Attacks over the Internet, unfortunately, can be deployed on the base of a large ‘arsenal’ of strategies and malwares: it includes phishing and compromised business email attacks aiming to push the person behind the screen to enter private passwords or information, Distributed Denial of Service (DDoS) attacks aiming to hack entire IT systems and ransomwares, which seem to be an effective option to breach personal data through extortion and corruption and its use, according to Verizon, had increased by 13% in 2022.
- Lack of ‘physical’ cyber security – this is usually a very underrated factor, but many companies often don’t consider that investing so much resources to improve cyber security on the IT side can’t provide any good outcome if then, on the physical side and especially due to human mistake, specific tech devices containing key data and information aren’t kept safe and they become easy targets for criminals to physically access or steal them.
All of these causes can produce severe consequences for companies including losses in terms of finance, reputation, mood and quality of work. So, it’s key for all entrepreneurs, managers and stakeholders to learn from experience about this issue and implement a good methodology especially to prevent and recover.
Personal data breach: a few examples
Let’s take a quick look at a few personal data breach examples:
- Yahoo – this famous web company suffered two data breaches between 2013 and 2014, where is assessed that overall around 3,5 billion users data were stolen;
- Marriott – this famous hotel chain suffered several data breaches between 2014-2018 affecting 383 million customers, where information about passports and credit cards were stolen;
- LinkedIn – this famous social media platform suffered several data breaches in 2021 involving 700 million users, where especially contact information were stolen.
Personal data breach: how to manage, prevent and recover
Let’s share a few assessments about data violation and companies, according to a study conducted by IBM:
- the global average cost of a personal data breach attack for small-medium sized companies is assessed around $4 million;
- considering only the USA, this same factor is assessed around $9,5 million;
- the global average cost of a personal data breach attack for companies operating in the healthcare system is assessed around $10 million.
These numbers are worrying, especially if you consider that these attacks by now occur basically everyday. In a previous article we wrote about how to manage personal data breach, so now we’re going to focus on how to prevent and recover after such problems.
In order to prevent personal data breach and other IT attacks good skills and attention play a key role. That’s why the best prevention system for companies refer to the education of workers with specific cyber security trainings, about the different types of attacks that cyber criminals can do, how to recognize and deal with them and how to keep personal and company data safe being careful about a few simple but essential tips. Of course, technology can help a lot in prevention: automation systems, AI detections and security analytics can provide very strong defense in addition to human behaviour.
As for recovery, first of all it’s important to learn that usually data breaches take months, even years to be detected – as in the case of Marriott. The first step to move after realising that a data breach occurred is to understand where, when and how it happened. Then it’s needed to communicate the events to all the stakeholders, as to the authorities, which will take actions to solve the problems and identify the guilty party. And last, but not least important, being a company means to be responsible for personal data of your customers, users or employees and, if a breach occurs leading to other individual issues, it’s possible that victims may sue the firm for being unprepared in terms of security: this could represent more costs for the business due to legal activities and compensations.
