Personal Data Breach: From Panic to Promise

“There are only two types of companies: those that have been hacked, and those that will be.”   – Robert Mueller, FBI Director, 2001-2013 

Data Breach can happen to any organisation

A hacker attack takes place at least every 39 seconds, according to a study by the University of Maryland. The root cause of approximately 95% of these data breaches is human errormany of which have an internal originAny activity including human intervention contains the risk of a human error. At the same time, increased reliance on cloud storage leaves a company vulnerable to external attacks. The unmistakable truth is that a data breach can happen to any organization, at any time.  

From the individual’s perspective a data breach of for example medical history or other sensitive personal information may lead to consequences that are irreversible social and financial consequences that cannot be remedied. In certain situations, a breach of personal information can even be lifethreatening, for example the ability to locate or identify persons in a witness protection program. Consequences of a data breach can be also individual’s reduced trust towards institutions, feeling of lost control over one’s personal information or feeling of resentment. 

In the worst-case scenario, a serious personal data breach or compliance violation may threaten the existence of an organization, from both a financial and customerrelations standpoint. In fact, according to a National Cyber Security Alliance study, 60 percent of small and mid-sized businesses that are hacked go out of business within six months. This reality hit home for a Finnish Psychotherapy Center called Vastaamo, whose recent data breach exposed sensitive patient data and pushed them eventually into bankruptcy. The impact of this breach was compounded by the fact that individual’s personal lives were adversely affected. 

Four Phases of Data Breach Management

Data breach is a risk that each organization should take seriously. Downplaying the great potential and seriousness of a data breach serves no one. It is this stark reality that places the proper emphasis on these challenging circumstances by heightening awareness and elevating the importance and need for preparedness. So, for as challenging as a data breach situation may be, it is important to understand and progress thoughtfully through the four phases of data breach management, which are:  

  1. prevent 
  2. prepare 
  3. contain 
  4. assess and notify 

Prevention of data breaches involves, assessing what kind of information your organization has, identifying risks and weaknesses regarding personal data protection and training your employees to be aware of the possible privacy risks related to their work tasks. When it is reality that a personal data breach cannot be fully avoidedit recommended to build preparedness for such crisis situations. Containing the breach involves implementing measure to immediately stop the leak, threat or attack. The assessment phase involves collecting the facts what exactly has happenedwhat information was compromised and evaluating the risk to the individuals affected. Depending on the estimated risk to the individual, the relevant supervisory authority and the data subjects must be notified.  

Preparation for a data breach situation

What else could an organization do in order to avoid data breaches? Smaller incidents and close call situations are advised to be recorded and analysed regularly to detect possible vulnerabilities and systematical errors. Incidents taken place at other organizations should be also considered as learning opportunities. The feed from internal and external incidents is recommended to be evaluated in the organization’s risk management procedures so that relevant risks for the organization are identified, assessed and mitigated. 

Preparation for a data breach situation through simulations, tabletop exercises or drills is a method for practicing efficient and correct operational handling of data breaches. Based on our experience at Privaon, these exercises give confident to the key persons taking part to the incident handling, help to memorize the protocol and ensure that the organization is able respond with a required speed when the situation demands it. Practical trainings also increase the organization’s awareness of data protection risks in other words what can happen and therefore serve the purpose of avoiding unwanted events. 

Data Breaches -webinar 1.4.2021

In the upcoming Privaon webinar Data Breaches: From Panic to Promise, we look at these four phases, offering a guide through the actions to take when the crisis hits your organization, including: 

  • how to contain and assess personal data breach,  
  • how to best prepare for data breaches, and 
  • how to implement measures to prevent and avoid future data breaches.  

The webinar will focus on the powerful, proactive combination of concrete training, coupled with conceptual awareness.  

So, join us for the upcoming Data Breaches -webinar on 01 April 2021, at 8:30am. Read more about this event. The webinar is free of charge, but please remember to register in advance.