Handling Data Breaches in Your Business
Data breaches have been a concern since the dawn of the internet, but they become a bigger issue with every passing day and every new breach.
During the first six months of 2019 alone, over 3,800 data breaches put 4.1 billion records at risk, and those are just the security events that were publicly disclosed. What's even more worrisome is that only eight of those breaches exposed 3.2 billion of the records.
Although it tends to be the bigger breaches that make the news, you shouldn't assume that the size of your business means you're not on someone's radar, particularly if you use cloud-based applications for core procedures.
Every business - big or small, tech or not - needs to have an understanding of what data breaches are, how they happen, and how to handle them if they happen to you. We cover all this and more in our guide below.
- 1. What are the Most Common Data Breaches?
- 1.1. Cyber Attacks
- 1.2. Employee Data Theft
- 1.3. Human Error
- 1.4. Theft/Loss of Property
- 2. How to Avoid Data Breaches
- 2.1. Use Encryption
- 2.2. Choose Multi-Factor Authentication Methods
- 2.3. Schedule Employee Training
- 3. How to Respond to Security Incidents
- 3.1. Investigate the Breach ASAP
- 3.1.1. Do You Have an Incident Response Plan?
- 3.2. Let Those Affected Know (Internally and Externally)
- 3.2.1. Do You Need to Report Your Breach to Regulators?
- 3.3. Keep Records and Update Your Response Plans
- 4. Are You Ready for a Data Breach?
What are the Most Common Data Breaches?
Before diving into the most common data breaches, it's important to understand what a data breach is.
Basically, it's an incident where sensitive, protected, or confidential personal information and personal data has potentially been accessed, stolen, or used without authorization.
Revisiting this definition is important because society commonly associates data breaches with criminality. There's a good chance that your understanding of a breach is an external actor with an ulterior motive who breaks into your data systems to steal or reveal something.
In reality, data breaches can be internal or external, and they can be malicious or negligent (or both). Verizon's 2015 Data Breach Investigations report found that around half of all security incidents happen as a result of someone inside your company.They can even be an accident!
The wide scope of data breaches are why laws like the Health Insurance Portability and Accountability Act (HIPAA) (the law covering healthcare organizations and patient data) govern not only hacks and encryption but poor password control and the unauthorized sharing of data.
So what are the most common types of data breaches?
- Cyber attacks
- Employee data theft
- Human error
- Theft/loss of property
Let's take a deeper look at each.
Cyber attacks are the most famous data breaches for good reason. They're increasingly common, and unlike the other types of data breaches, they're increasingly difficult to protect yourself against.
Hackers and other malicious actors can attack your systems and cause a data breach through:
- Social engineering (imitating employees, etc.)
Employee Data Theft
Employee data thefts/leaks are far more common than you might think or expect. The same 2015 Verizon report noted earlier found that 30 percent of data breaches caused by employees is usually a mistake, but 20 percent fall under the umbrella of misuse.
Employees might steal data for any number of reasons. The healthcare sector struggles with personal information theft used for stealing patient identities. In other cases, an employee might take data from a work product and bring it with them to their new employer.
Human error is a force to be reckoned with, and depending on who you ask, it's behind somewhere between 25 and 90 percent of all U.S. data breaches. The potential for human error grows as our data systems become more complicated: if all your data is in-house, the pool of potential candidates is small. But as more businesses move their data to third-party cloud-based services, the number of people whose mistakes can cost your business its security grows, too.
Unfortunately, many of these errors are ridiculously easy to commit. Attaching the wrong document, clicking a sketchy link, poor password hygiene, or CC'ing the wrong person in an email can all cause data breaches.
However, simplicity also means that these breaches are avoidable. While that's devastating if you have already suffered a spate of them, it also means preventing them in the future isn't as difficult as it sounds.
Theft/Loss of Property
The final common type of data breach is the theft or loss of property containing credentials or sensitive information.
Why doesn't this fall under human error? Because it can be the result of carelessness, but it can also be unavoidable, particularly if the loss was a targeted one.
While thefts and losses aren't always preventable, the damage can be mitigated long before the phone or computer goes missing through common technologies. For example, iPhones are now difficult to penetrate because when the appropriate settings are in place, the owner can wipe the phone remotely if it falls into the wrong hands.
How to Avoid Data Breaches
Frankly, if you use the internet, some data breaches are unavoidable. While you should always take the appropriate measures to protect your data and resources, there is no 100% foolproof method for avoiding data breaches.
Your best chance is to follow appropriate security protocols for the category and volume of data you work with. However, because data breaches are so often the cause of human error, you need to do more than install an antivirus or a comprehensive security suite. Security is both a product and a culture.
At a minimum, you should be:
- Using encryption
- Enabling multi-factor authentication
- Training employees on best practices (regularly)
Do you have personally identifiable data or highly-sensitive data? It should be encrypted to an appropriate standard.
You don't have to treat it like it's a state secret, but you do need to make sure that no one can read it if it falls into the wrong hands.
If you handle certain types of data, then you may need to follow prescriptive encryption measures. Though, these largely apply to the financial and healthcare sectors as well as public bodies and government organizations.
Choose Multi-Factor Authentication Methods
Multi-factor authentication is probably the most effective way to protect your organization from outside attacks.
In short, multi-factor authentication adds an extra layer of security beyond the password. The layer in question depends on the system you use: some use biometrics and others use other technological means of verification.
Multi-factor authentication helps make up for poor password hygiene (weak passwords, shared passwords, etc.). It also alerts you if there is an attempted breach and highlights the potential entry point, which gives your IT provider (either in-house or a managed service) a helpful starting point when preventing and investigating the breach.
Schedule Employee Training
Employee security training is your first line of defense against all types of data breaches, but it is too often overlooked in favor of expensive software and prayers.
Both your new employees and current staff need this training. In fact, you should make it part of your onboarding process during hiring to ensure that all employees start off on the right foot on day one.
Comprehensive and regular security training for employees not only prevents the constant barrage of preventable employee disclosures. It also protects your business from socially engineered attacks (where an outside actor manipulates the employee into the breach).
What does your training need to include? At a minimum, it should include the following topics:
- Threat overview
- Password policies (best practices and company policy)
- Preventative measures
- Email protection
- Web browser protection
Remember that you should escalate your training based on the type of data you handle.
If you are a covered entity under HIPAA or you hold valuable personal information, then you should provide more in-depth and regular training sessions.
How to Respond to Security Incidents
Your response to a cybersecurity incident is as important as your approach to preventing one. It reflects both an attempt to mitigate the damage further and to take responsibility for what happened.
What should you do? Here are a few steps organizations of all sizes can take.
Investigate the Breach ASAP
Big or small, you should be investigating every breach that makes it past your security barriers. You might think this is the obvious thing to do, but you might also be surprised at how tempting it is to bury your head in the sand as if nothing happened.
When the Target breach happened in 2013, reports said that the company "declined to act" on an early alert provided by its security software. That credit card breach was the second largest data heist ever. The company spokeswoman was then forced to go on the record and say, "With the benefit of hindsight, we are investigating whether if different judgments had been made the outcome may have been different."
Investigating breaches quickly and thoroughly not only mitigates the damage but prevents further destruction of your reputation if the worst happens.
Customers understand that breaches happen. But they don't want to hear that you didn't take their data seriously enough to investigate them.
Do You Have an Incident Response Plan?
You're going to investigate more than one security breach during your tenure. Ideally, you will complete your investigations according to your organization's incident response plan.
An incident response plan is a formal process that helps your team identify, respond to, and move on from security breaches. These cover not only breaches but also service outages, and it should be unique to your organization by covering:
- Roles and responsibilities
- Business continuity plan
- Summary of resources
- Network/data recovery processes
- Communications processes
Using this document allows your team to work systematically and uniformly in a crisis (and a security breach is a crisis).
Let Those Affected Know (Internally and Externally)
With an understanding of what happened and when, you are then free to share your information with the affected parties. You can do this with a Data Breach Notification Letter.
You should be open and sincere. If there was any fault on your side, accept responsibility.
You don't need to share all the dirty details of the breach, but you should at least tell people:
- What type of data breach occurred
- How many records were affected
- What types of data were affected
- What data subjects can do to mitigate losses on their own (change passwords, use identity protection programs, monitor credit reports, etc.)
- What you intend to do to mitigate the damage
- How you intend to prevent the issue from occuring again
All this also needs to be shared internally with the relevant parties. Employees should know what happened and when both in case their data was caught up in the breach but also to answer questions from clients and customers.
Do You Need to Report Your Breach to Regulators?
Does your business need to comply with the General Data Protection Regulation (GDPR)? If so, then you may have an extra reporting step to take.
GDPR-compliant organizations must report specific types of personal data breaches to supervisory authorities within 72 hours of becoming aware of the breach.
You don't need to report every breach to regulators. However, if the breach is likely to "adversely affect individuals' rights and freedoms," then reporting is required.
For example, if someone in your organization sends a single email that misuses a limited amount of data, then you typically won't need to report the breach, unless the data is health-related or it's a special category of data (related to criminal convictions). You also need to inform the people it affected.
However, if you have a Target-style breach (massive and resulting in issues like identity theft) that impacts European customers, then you need to report it right away.
You must also keep records of all data breaches, including those that you don't need to report.
Are you subject to comply with the California Consumer Privacy Act (CCPA)?
The CCPA comes with penalties for breaches/unauthorized actions. The bill allows the state to penalize companies with fines of $100-$750 per consumer per incident, but it also allows for actual damages (whichever is greater).
However, if you fall under the jurisdiction of the CCPA, you should be prepared for reporting requirements to change as the state tinkers with the law over the next few years.
Keep Records and Update Your Response Plans
With your investigation complete and clients notified, it's time to make sure you keep records of the event.
These records are critical for your own security practices and in the event that your situation goes from bad to worse and you find yourself under the scrutiny of regulators or in a civil suit.
You should be updating your other work processes (including your response plan) based on the results of the investigation.
Are You Ready for a Data Breach?
As data breaches continue to grow in number and severity, it's important for businesses of all types and sizes to protect themselves and their customers from data loss or theft. Moreover, it's critical to understand that even if the size of your business may not make you a valuable target to hackers, data breaches very often come from inside your company.
A culture of security and transparency can help any company get through the worst data breach. By preparing for the worst, investigating breaches when they happen, and communicating with stakeholders, you can minimize both the effects of a breach and the damage to your reputation.
Conduct a privacy law self-audit to make sure you're prepared.