In simple terms, data breaches can be defined as incidents where data (particularly sensitive, protected or confidential data) has been accessed, shared or otherwise exposed in an unauthorized way. The actual type of data involved in a breach might vary depending on the organization and the data they process.
Many compliance regulations differ on what they define a data breach worthy of notification to actually be. For example, if you’re a healthcare organization, the data most likely to be involved in a breach is protected health information (PHI). If you are a retail store, on the other hand, the most common form of data you will need to protect will probably be payment card information (PCI).
Commonly, no matter what your organization does and which compliance regulation you cover, the data that is likely to be affected in a breach includes personal information of any sort; including credit card numbers, names, addresses, national insurance numbers, drivers’ licenses and more. If any of this data is ever accessed by unauthorized entities or shared outside of the inner circle, that organization will have been said to have suffered a data breach.
There are generally three main reasons why data breaches happen: benevolent insiders, targeted attacks and malicious insiders. It could be just one or a combination of all of these that results in a breach. For example, ransomware attacks initiated by outsiders may require entry into the system through a negligent insider.
Cyber-criminals are constantly searching for vulnerabilities to exploit – whether it be a piece of legacy software or a naive employee, and it is our responsibility to ensure that these vulnerabilities are kept to a minimum.
It has been reported that over 80% of data breaches are caused by human or process error. With this in mind, our focus needs to shift from solely perimeter-based security to a combination of training and monitoring the behavior of our own employees. Unfortunately, completely preventing data breaches can be extremely difficult to do, which is why we still see so many high-profile data breaches in the news every day.
Data Breach Notifications, Compliance Regulations, and Covered Data
There are a large number of compliance regulations, guidelines, and frameworks that regulate how data is stored and how to react to a data breach. Each compliance regulation will apply to certain organizations, types of data, location and other factors. Despite this, they have all been created and implemented to help organizations reduce the risks of data breaches and give consumers reassurance that their data is being handled appropriately.
As previously mentioned, the type of data that is usually covered by these regulations consists mainly of personally identifiable information (PII). The specifics of this information may change depending on the regulation, but in general, any that can be used to identify a consumer should be considered sensitive data. However, you cannot rely completely on compliance regulations to determine what is meant by sensitive data. Currently, for example, there is no specific regulation governing the protection of intellectual property. However, you can only imagine the consequences of a data breach involving stolen intellectual property to the reputation and bottom line of the business.
When determining what data in your organization you should protect, you should take compliance guidelines as a starting reference point and then build outwards to include any form of data that, if lost, could do harm to your business.
Depending on where you are in the world, and what type of organization you are, you may have one or several compliance regulations that you need to adhere to. You must make sure that you know which regulations apply to you. Different states in the US are introducing their own compliance regulations, including the CCPA in California and the HB1071 in Washington State.
All of these regulations not only provide advice on how to prevent data breaches, but they also go through what you should do to react to a data breach as well. Many regulations give strict time frames for being able to detect a breach and notify the regulatory authorities (the GDPR allows 72 hours after the discovery of a breach to notify those involved and the ICO).
If you need help discovering and securing sensitive data in your environment, or you want to be able to automate compliance reporting, you should look to implement a data breach detection and prevention tool. These solutions can help you to govern access to sensitive data, detect the signs of a data breach and improve response times.