Breach! A Guide To Data Breaches
What is a Data Breach?
With high profile cases such as last year’s Equifax scandal coming to light, and the changes which followed the introduction of GDPR, data breaches have become a hot topic in the world of data. But what exactly does the term mean? A data breach can be defined as an incident which involves the unauthorised disclosure or access of sensitive, confidential or protected data. Data breaches may involve personal health information, personally identifiable information, company or trade secrets or protected intellectual property.
Last year, consumer credit reporting agency, Equifax, suffered a massive data breach which involved personal information relating to millions of Americans. Only in the last couple of days has the full scope of the data breach been revealed by independent audits. In short, the breach exposed 146.6 million names and dates of birth, 145.5 million social security numbers, 99 million personal addresses, 209,000 payment card details (which includes card numbers and expiry dates), 38,000 US drivers' licenses and 3,200 passport details.
In this instance, the breach was caused by a flaw in a tool designed to build web applications. However, there are many different scenarios which can result in a data breach. A classic example of a data breach, often portrayed in Hollywood spy films, is that of a computer hacker breaking into a corporations database and stealing private information. Whilst this is a valid cause of data breaches, often they are not so dramatic. Data breaches can involve simple situations such as an unauthorised healthcare worker seeing patients’ personal health information which has been carelessly left up on a computer screen. Weak passwords, email phishing scams, and missing software patches are also common causes of data breaches.
Reporting a Data Breach
On the 25th of May, The General Data Protection Regulation (GDPR) was introduced to the 1998 Data Protection Act (DPA), in order to bring legislation into line with the current ways personal data is being used. Furthermore, it emphasises the importance of data subjects’ consent and the transparency in data collection and usage. GDPR affects all organisations which control or process personal information within the EU. Post-Brexit, British businesses will still have to comply with the original GDPR if the data they control or process flows through the EU. Additionally, the British government has announced that they will bring in its own legislative programme that will mirror the GDPR, but allow certain changes to the framework.
GDPR has brought in new disclosure requirements an organisation must follow in the event of a data breach. Data controllers are obligated to report certain types of data breach wherein data subjects’ personal information is at risk to the ICO within 72 hours of the breach being identified, where feasible. Where a breach may adversely affect the data subjects’ rights and freedoms, they must also be informed without delay. Furthermore, a record of all personal data breaches must be kept, regardless of whether it was necessary to contact the ICO or not.
Unfortunately, there is no one piece of software that can prevent an organisation from having its data breached. However, there are data governance strategies and common sense security procedures that, if followed correctly, will prevent data breaches in most scenarios. This includes basics practices, such as using proven malware protection software, conducting frequent system vulnerability and penetration tests, using strong passwords (and not leaving them lying around on sticky notes!) and consistently updating software with the latest patches on all systems.
At IntoZetta, we are able to provide data governance solutions tailored to your organisation. Data governance is ultimately responsible for assessing, managing, using, improving, monitoring, maintaining, and protecting organisational information. Effective data governance needs cooperation and collective responsibility across an entire organisation to ensure that data is managed and utilised as a key organisational asset. IntoZetta can help you to build a data governance strategy that focusses on the right technology, processes, and behaviours. The strategy will define and document specific roles and responsibilities, rules and procedures, and the tools that are required to nurture effective data governance, but the primary objective will always be to elevate collective understanding and ownership, and embed best practice data disciplines throughout the organisation.
Click here to view our data governance software.
Click here to read about our data governance managed services.