What is a data breach?
A data breach is unauthorized access to, disclosure
of, or loss of the personal, health, and sensitive information that an
organization holds or processes. This definition, therefore, brings to our
knowledge that some organizations may have experienced, for example, losing a
USB with copies of personal data without recognizing that was a data breach.
Most organizations have only considered hacking or ransomware attacks as data
breaches, but it goes beyond just that.
Below are some potential data breach
examples:
- Losing a portable storage device (USB, flash drive, external hard disk, etc.), laptop, or other personal devices.
- Loss of hard copy files or papers containing personal details, or disclosure of these files to the incorrect recipient.
- Email errors–emails sent to incorrect addresses, the disclosure of the email addresses of large groups of recipients via carbon copy or attaching personal information inadvertently.
- External attack, access, loss, or disclosure on a third-party vendor implicating personal information for which the organization is responsible.
- Phishing, hacking, or other external attacks on an organization's information repositories.
- Unauthorized access by a staff member to files containing personal, health, or sensitive information.
Whatever the cause of the data breach, some form of
harm can cause the organization’s employees and customers or clients. The harm
may include financial, social, reputational, psychological, or physical impacts
on an individual and reputational or financial damage to the organization
itself.
Since data breaches are becoming more common, how a
company responds to one can go a long way to maintaining its business
reputation and keeping it from losing the trust of its customers, and avoiding
or reducing hefty fines by regulatory authorities. As with any crisis, a quick
and decisive response is critical. But here is the problem: most breaches go
undetected for a long time. According to FireEye’s 2016 Report, it took
organizations across the world an average of 146 days to detect a data
breach. A separate report found 81 percent of data breaches are not
detected until news reports, law enforcement notifications, or external fraud
monitoring. The longer a breach goes undetected, the more harm it can do to
your business.
Security breaches committed against you or an organization with access to your personal information are serious crimes and are understandably stressful to the victims. Most data protection laws require private organizations and government entities, which have access to or process personally identifiable information, to notify affected individuals in the event of a security or data breach. So, if you read about a data breach in a news report and are unsure if you are affected, you will probably be notified in the event of an emergency.
As stated clearly by VISA: “Because data compromises are often complex, it is challenging to make the rapid communication decisions needed to mitigate the potential harm of a breach. These situations are often further complicated by the reality that every data breach is different and there may be no precedent within your organization for responding. But the stakes for handling a breach effectively could not be higher, and the impact on your businessdepe - nding on a variety of factors - can be huge. The impact of a poorly handled breach can reach throughout your business in both the short and long term: bad press, lost sales, mitigation, and litigation, as well as the uphill battle to rebuild your reputation”
The first step is to identify the type of attack that occurred and which aspects of your data - personal information or organizational data - were potentially affected. If, for instance, the theft was to a company's payment system, then it is highly likely personal payment information would be at risk. Suppose a security breach got access to personal identification information, such as accessing ID-based information or details – such as passport, Ghana Card, Voter’s ID Card, or driver's license number. In that case, you could be the potential victim of identity theft.
According to the Cost of a Data Breach
Report, data breach costs surged 13% from 2020 to 2022. You cannot afford to be
unprepared for a data breach's aftermath. It is up to you to control the situation
and protect your brand in the wake of a data breach’s potentially devastating
hold on reputation and also to avoid hefty penalties by regulatory authorities
or supervisory agencies.
Data breach response policies are
essential for organizations of any size. A response policy should outline how
your company will respond in the event of a data breach and lay out an action
plan that will investigate potential breaches to mitigate damage when a breach
occurs.
When an organization realizes a data
breach; whether hackers took personal information from your corporate server,
an insider stole customer information, or information was inadvertently exposed
on your company’s website, you need to be strategic and tactical in dealing
with the incident.
The following are some suggested steps
elicited by The Federal Trade Commission (FTC) to take in dealing with a data
breach:
- Move quickly to secure your systems and fix vulnerabilities that
may have caused the breach. The only thing
worse than a data breach is multiple data breaches. Take steps so it does not
happen again.
- Secure physical areas potentially related to the breach. Lock them and change access codes, if needed.
- Mobilize your breach response team right away to prevent
additional data loss. The exact steps to take
depend on the breach and the structure of your business.
- Assemble a team of experts to conduct a comprehensive breach
response. Depending on the size and nature of
your company, they may include forensics, legal information security,
information technology, operations, human resources, communications, investor
relations, and management.
- Stop additional data loss. Take
all affected equipment offline immediately - but don’t turn any machines off
until the forensic experts arrive. Closely monitor all entry and exit points,
especially those involved in the breach.
- Interview people who discovered the breach. Also, talk with anyone else who may know about it. If you have a
customer service center, make sure the staff knows where to forward information
that may aid your investigation of the breach. Document your
investigation.
- Do not destroy evidence. Do not
destroy any forensic evidence during your investigation and remediation.
- Have a communications plan.
Create a comprehensive plan that reaches all affected audiences - employees,
customers, investors, business partners, and other stakeholders. Do not make
misleading statements about the breach. And do not withhold key details that
might help consumers protect themselves and their information. Also, do not
publicly share information that might put consumers at further risk.
- Anticipate questions that people will ask. Then, put top-tier questions and clear plain-language answers on
your website where they are easy to find. Good communication up front can limit
customers' concerns and frustration, saving your company time and money later.
- Notify all appropriate authorities. Notify law enforcement agencies, Computer Emergency Response Teams, Cybersecurity Authorities, Data Protection Regulators, or authorities. The sooner law enforcement learns about the breach, the more effective and helpful they can be.
Author: Emmanuel K. Gadasu
(Data Protection Officer, IIPGH and Data Privacy Consultant and
Practitioner at Information Governance Solutions)
For comments, contact the author ekgadasu@gmail.com or Mobile: +233243913077
Source: www.iipgh.org
No comments:
Post a Comment