In 2012, 2644 data breach incidents were reported worldwide, and it is thought that the statistic represents only 10% of actual cases. Of these reported data breach incidents, 97% of them were avoidable. In total, 267 million records were exposed, $5.5million was the average cost of each breach and the overall impact of reported data breaches is $8.1billion.
These sobering statistics preceded the data loss prevention talk by Craig Spiezle, Executive Director & President of the Online Trust Alliance during the Best Practices track at Interact 2013.
In a data-driven economy, more personal information on consumers is being collected, and likewise, data breach repercussions are becoming more severe. Perhaps, one of the most embarrassing things for companies that experience a data breach is explaining why they possess such information on their consumers in the first place – which might account for why such a large percentage of breach incidents go unreported. In the European Union, Internet service providers have 24 hours from the moment of the discovery of a data breach to report the incident to the authorities.
All companies must operate under the assumption that the data they possess includes confidential information subject to regulatory requirements and that there will come an unfortunate day that they will experience a data breach. As such, security and privacy by design needs to be part of your corporate DNA. Data stewardship is everyone’s responsibility and data security policies need to be continually reviewed. The absence of a plan is clearly disaster.
Zappos, for example, was a brand that floundered in the wake of a data loss incident. With no clear internal communication or pre-prepared phone scripts to help their staff deal with anxious customer enquiries, the brand struggled to deal with phones that were ringing off the hook when 24 million records were compromised.
In the US, there are 46 different regulations that deal with data breaches – this means that in a data breach scenario, your business would need to notify 46 different states, all of which have different processes for reporting the breach. Conversely, the European Union, is moving towards one regulation and one notification point. If a data breach is specific to one country however, you might not need to notify everyone.
Data Security Best Practices
While you may not know when you will have a data breach, there are ways to make sure that when the time comes, you are able and ready to deal with it.
- Create an incident response team.
- Have a draft email that is ready to go out to partners in the event of a data breach.
- Create a relationship with your local FBI so you know how to contact in the event of a breach.
- First responders and PR teams must be briefed and prepared in the event of data loss eg. media and social monitoring.
- Consider a contract with a forensic company beforehand or a company with data breach remediation.
- Think about where funding will come from and consider insurance coverage.
- Create a website section for Frequently Asked Questions and consider translating it into different languages.
A data loss incident can cause significant damage to brand reputation. In a keynote at Gartner Symposium/ITxpo 2013, Goggle Executive Chairman Eric Schmidt said that a significant data breach at Google Inc. would be “devastating” and threaten the company’s existence.
And in an industry that is being increasingly shaped by mobile behaviors, consider too that mobile has the potential to become compromised. The 2013 Data Protection & Breach Readiness Guide published by the Online Trust Alliance covers the topic of data breaches in far more depth and detail, so do download a copy of the report if you are interested in learning how to safeguard your brand!
Want to find out more about how to keep your email secure? Get the How DMARC Is Saving Email eBook and find out how this new authentication standard is putting an end to email abuse.