Our Approach to Data Breach Management
Personal Data Breaches
Personal data breaches have occurred since people and businesses began processing personal data. However, with the advance of technology (e.g. online databases), these breaches have increased exponentially. According to one of the studies conducted by the Ponemon Institute and sponsored by IBM, the global average for breached records in 2018 was 24,615 per country, while 31,465 records were breached in the United States alone during the 12 months of the study review. From 25th of May 2018 to 27th of January 2020 there has been a total of 160,921 personal data breaches notified by organizations to data protection supervisory authorities within the EEA.
In response to a growing amount of incidents, countries around the world started to heavily regulate data processing. GDPR, a privacy law which came into effect in the EU in 2018, was a game changer. With the rise of new privacy laws, regulators worldwide are increasingly able to fine companies for data breaches due to reckless management of personal data. The fees of these fines along with data breaches are increasing around the world. According to the same study, a typical business data breach costs the affected company $3.6 million, a 6.4 percent increase from 2017’s $3.62 million.
Data breaches are now an operational reality. Identification and response continue to pose a massive challenge to businesses, as most companies do not have the expertise, technology or procedures in place to detect breaches as they occur. Compliancy is challenged even more when countless companies do not report the relevant breaches with the correct information and details to the data protection authorities in a timely manner.
In 2019, the average time passed before a breach was identified was 206 days while the average time to contain it following identification was 73 days, thus totaling to 279 days between the breach occurring and its containment. Without the appropriate controls and procedures in place, identifying a breach could be as difficult as finding a needle in a haystack.
This was a challenge before the GDPR and it is an even bigger one now, given that the reporting requirements are stricter and impose severe fines for not informing supervisory authorities in a timely manner. Only 2% of firms that have reported a breach to a supervisory authority have been fined; this shows that a timely reporting helps to avoid penalties.
Data Breach Management Tool
Here is where DBMT comes into play: this personal data breach management tool is simplifying, automatising and streamlining processes about personal data incidents. It is a complete solution that helps companies to timely plan for and respond to personal data incidents.
This cloud solution assists organizations at every stage of the personal data breach identification process by providing a single platform where the responsible function of a team can log, store and manage any notified incident by creating internal reports, automatically assessing the risk and easing the decision making process when evaluating whether the incident is reportable to the authorities. It also serves as a central database of data incidents and breaches, with the function of task assignment for better control over the workflow and responsibilities, which is a great asset for audit purposes.
The average time to identify a breach in 2019 was 206 days and the average time to contain a breach was 73 days, for a total of 279 days (4.9% increase from 2018). IBM Ponemone institute research
For the period from 25 May 2018 to 27 January 2019, there were on average 247 breach notifications per day in the EU. For the period from 28 January 2019 to 27 January 2020, there were on average 278 breach notifications per day (a 12.6% increase), so the current trend for breach notifications is upwards. DLA Piper