Data breach seems to be on the rise in some periods and down in other periods, however, one common trend is that data breach incident is inevitable. The rate of data breach occurrence in a given organization depends on many factors which we discuss below, but generally speaking, we can agree that a data breach is inevitable in organizations where data exists abundantly.
Reasons Why Data Breach is Inevitable
Although many companies have good intentions and keep their data safe by classifying and securing their data, we now know that data breach incidents including personal data theft are inevitable even in the most secure companies. Although world's most secure companies have a lower rate of breach occurrence, the survival of any organization following a data breach will largely depend on its breach resiliency and response preparedness. Below is a list of reasons why data breach is inevitable which I have accumulated based on industry news and personal observations:
· Inadequate security policies and related training,
· Security policy violations by employees and others,
· Excessive security policy exceptions and management override,
· Lack of vendor oversight and due diligence for data protection,
· Financial rewards for internal and external parties,
· Organized, capable, and sophisticated nature of hackers,
· Lack of adequate budgets and qualified resources for security,
· Insufficient visibility of the security team and its management.
We often hear about personal data breach incidents which result in almost a billion lost personal records, millions of victims, and several billions of dollars in fraud losses annually due to identity theft. Breaches can be internal or external and depending on where the breach occurred, they can have different consequences, therefore, we have to understand the difference between internal and external data breach incidents and their implications in order to plan for our response. Incidents which occur at our organizations have direct consequences on our image and credibility, revenue and profit, and productivity due to investigation, resolution, and communication to the appropriate parties. And, data stolen from other organizations can result in huge identity fraud problems for our companies if personal data is a big part of our transaction processing and operations such as in financial institutions.
As part of an effective workplace data breach management solution, we should have a backup plan to respond to an incident which occurs at our company as well as a fraud prevention plan which can occur with data stolen from other organizations.
The best data breach resiliency plan is data encryption. In fact, the privacy regulations do not require breach notifications if our assessments conclude that a security incident did not result in data exposure which can be due to adequate data encryption.
And in case data was exposed in an incident, the US Red Flags Rule was introduced to force companies to protect their customers who may be affected by fraudulent transactions due to the theft of their personal information at any other companies. This regulation is not about data protection but rather about fraud prevention.
In general, once security is put in place based on our assessment of how breach can occur, we have to document our data breach response and communication plans, identify stakeholders, perform breach response training and exercise, adjust the plan as needed, and train employees to detect and prevent fraud which can occur with data stolen from other organizations.