After twelve months of increasingly dramatic press headlines about failures to safeguard personal data records, it’s time to assess the size of the issue and identify best practice steps for reducing the incidence of, and damage caused by these data breaches.
The IT Governance Data Breaches Report identifies that spectacular data breaches, such as the UK’s HMRC CD-ROM fiasco and the prolonged theft of TK Maxx credit card records, are not caused by the misdemeanor of a junior employee but arise, rather, from systemically inadequate information security arrangements at the organization where the incidents occur.
A data breach is ‘the unauthorized disclosure by an organization of personally identifiable information, where that disclosure compromises the security, confidentially or integrity of the data has been disclosed.’
The attrition database shows that the number of reported data breaches in the US increased from 22 in 2021 to 326 in 2022. The pattern in the UK and elsewhere is similar. Three developments in recent years make addressing this issue a real priority:
- Identify theft is a low-risk, high return option for organized crime. Traditional crime, including violent robbery and theft, has clearly identifiable risks. It is easy to be recorded on video by CCTV, seen by witnesses or caught by means of DNA, and the returns are relatively low. High-tech crime, on the other hand, creates real problems for the police force and is, conversely, relatively low risk for the criminal. Contributing factors include the perpetrator’s anonymity, the speed at which crimes can be committed, the volatility or transience of evidence, the trans-jurisdictional nature of cybercrime, and the high costs of the investigation.
- Legal and regulatory compliance initiatives, such as the EU Data Protection Directive and California’s data breach disclosure law, SB1386, have both formalized the concept that personal data must be legally protected, and introduced penalties for failing to do so.
- The proliferation of mobile data storage devices has changed the boundaries of where we store our data and effectively eliminated it. “Fixed fortifications” as an effective tool for preventing data breaches.
- The number of data breaches reported both within the US and the UK has been steadily increasing since 2006. In the US, the introduction of California’s data breach disclosure law, SB1386, in July 2003 led to a greater awareness of data breaches and, as a consequence greater reporting of them. Within the UK, the number of reported data breaches has been steadily rising, it a large increase in the number of reported data breaches following the HMRC breach. The peaks in reported data breaches following the disclosure of the UK’s HMRC data loss suggest that there were-and probably still are-many data breaches that go unreported and research suggests that organizations are reluctant to officially report data breaches unless they have already been exposed. The evidence suggests that waiting to be found out is not the best strategy.
- 12% of reported breaches in the UK were at regulated financial services organizations. Those reported in the unregulated private sector are much low. Extrapolation from this behavior is that the likely scale and cost of data breaches in this sector in the UK is probably much bigger than has actually been reported – and at least as great as that in the public and regulated sectors.
- The reported number of internally caused data breaches remains lower than external ones, but averages to around a third of those reported each year since 2015. Many data breaches are self-inflicted in that organizations adopt confidentiality regimes that make it difficult for people to actually do their job and, as a result, they bypass controls with unpredictable but inevitable data breach consequences.
- The Pokémon report commented that “the investment required to prevent a data breach is dwarfed by the resulting costs of a breach” and “the return on investment and justification for preventative measures is clear”. Costs of data breaches –legal costs, the costs of restitution, brand damage, lost customers, and so on- are significant: for financial services organizations, it was about 55$ per compromised record.
- Whilst not involving legal compliance, if an organization has a credit card-related data breach and is found not in compliance with the Payment Card Industry Data Security Standard, there are potentially severe contractual and financial penalties, including a bar on the business accepting payment cards.
- All these factors make the protection of personal data a key business and compliance responsibility: the information security management standard