Our Approach to Data Breach Management
Personal Data Breaches
Personal data breaches have occurred since people and businesses began processing personal data. However, with the advance of technology (e.g. online databases), these breaches have increased exponentially. According to one of the studies conducted by the Ponemon Institute and sponsored by IBM, the global average for breached records in 2018 was 24,615 per country, while 31,465 records were breached in the United States alone during the 12 months of the study review. From 25th of May 2018 to 27th of January 2020 there has been a total of 160,921 personal data breaches notified by organizations to data protection supervisory authorities within the EEA.
In response to a growing amount of incidents, countries around the world started to heavily regulate data processing. GDPR, a privacy law which came into effect in the EU in 2018, was a game changer. With the rise of new privacy laws, regulators worldwide are increasingly able to fine companies for data breaches due to reckless management of personal data. The fees of these fines along with data breaches are increasing around the world. According to the same study, a typical business data breach costs the affected company $4.35 million, a 2.6 percent increase from 2021’s and 12.7% increase from $3.86 million in 2020.
Data breaches are now an operational reality. Identification and response continue to pose a massive challenge to businesses, as most companies do not have the expertise, technology or procedures in place to detect breaches as they occur. Compliancy is challenged even more when countless companies do not report the relevant breaches with the correct information and details to the data protection authorities in a timely manner.
In 2022, the average time passed before a breach was identified was 2 days while the average time to contain it following identification was 70 days, thus totaling to 277 days between the breach occurring and its containment. Without the appropriate controls and procedures in place, identifying a breach could be as difficult as finding a needle in a haystack.
This was a challenge before the GDPR and it is an even bigger one now, given that the reporting requirements are stricter and impose severe fines for not informing supervisory authorities in a timely manner. Only 2% of firms that have reported a breach to a supervisory authority have been fined; this shows that a timely reporting helps to avoid penalties.
Data Breach Management Tool
Here is where DBMT comes into play: this personal data breach management tool is simplifying, automatising and streamlining processes about personal data incidents. It is a complete solution that helps companies to timely plan for and respond to personal data incidents.
This cloud solution assists organizations at every stage of the personal data breach identification process by providing a single platform where the responsible function of a team can log, store and manage any notified incident by creating internal reports, automatically assessing the risk and easing the decision making process when evaluating whether the incident is reportable to the authorities. It also serves as a central database of data incidents and breaches, with the function of task assignment for better control over the workflow and responsibilities, which is a great asset for audit purposes.
The average time to identify a breach in 2021 was 287 days and the average time to contain a breach was 70 days, for a total of 277 days (3.5% decrease from 2021). IBM Ponemone institute research
For the period from 28 January 2021 to 27 January 2022 there were on average 356 breach notifications per day in the EU. For the period from 28 January 2020 to 27 January 2021, there were on average 331 breach notifications per day (a 8% increase), so the current trend for breach notifications is upwards. DLA Piper