Privacy Breaches and Data Breaches
A data breach occurs when confidential or private data is read, copied, modified, or deleted without authorization.
- “read” can mean by a person or transferred to a network/storage media
- data breach is the loss of any type of data
- privacy breach refers specifically to loss or disclosure of personal and sensitive data
Data loss is the loss of access to data.
Data exfiltration is the unauthorized transfer of data.
Organizational Consequences
- reputation damage
- identity theft
- fines
- intellectual property (IP) theft
- financial loss
- ransom, stock price falls, loss of revenue, recovery costs
- availability loss
- lose access to data needed for operations
- lose access to critical business functions
Notification of Breaches
- may need to notify
- law enforcement
- individuals and third-party companies affected
- public via press or social media
- under GDPR,
- notification must be made within 72 hours of becoming aware
- under HIPAA,
- must notify affected individuals, Secretary of US Dept. of Health and Human Services, and to media (if more than 500 affected)