Data Privacy: Breaches and Responses

With the proliferation of online data and the complexity of keeping digital information secure, it’s not surprising that data breaches are becoming increasingly common. According to the Breach Level Index, there were almost 1000 publicly disclosed data breaches in the first six months of 2016, accounting for over 550 million data records. That’s up 31% from the previous six month period. At this point, more than 3 million records are being compromised each day.

Public Sector Gets Hit With Bigger Breaches

Government agencies and other public sector entities were the target of just 14% of H1 breaches in 2016. But they accounted for 57% of all compromised records. Most of the 318 million records lost or stolen were associated with three major voter database breaches. But individual agencies at the local level aren’t exempt from being targeted. Identity theft still accounts for the majority of data breaches, and utility agencies typically store the type of customer data that is a target for this type of criminal interest. Identity theft breaches have increased 38% compared to the same time period in 2015. While internal sources are still a common cause of data loss and theft, hackers are responsible for almost 70% of these incidents.

What Type of Damage Can Occur?

When data is compromised, there are many types of potential fallout including:

  • Risk of identity theft for customers
  • Unauthorized use of customers’ financial data
  • Loss of customer trust
  • Disruption of operations
  • Damage to organization’s reputation

What Can Be Done After an Incident?

Swift and accurate communication is the foundation of an effective response. Those impacted by the theft or loss of data need to know four things:

  • What happened
  • How it happened
  • That the organization cares about the impact
  • What the organization is doing to correct the problem and reduce the risk of recurrence

In many cases, there is a legal obligation for an organization that experiences a data breach to notify all affected parties. It may also be necessary to inform law enforcement and make a public statement. If there are material losses to those impacted, the organization may need to make consumers whole. When there is a risk of identity theft, it may also make sense to cover the cost of identity and credit monitoring for a time after the incident to help consumers safeguard their personal information.

Preventing and Limiting Damage

Data breaches can’t necessarily be avoided, although a security audit and upgrade can help reduce the risk of incursion. Any organization may be a target and there is, at this time, no fool-proof way to keep malicious outsiders from compromising data. Every agency should be prepared with a response if and when a breach occurs. This includes putting together a team (that may include IT, HR, Legal, and Financial internal experts) to address any incidents. To reduce the damage that can be done by a data breach, agencies should have monitoring tools and reporting in place to immediately notify the response team of any problem. Digital damage happens fast, and a quick response is essential.