When data breaches are declared, almost every individual is eager to know more about them. For instance, which industries are the most targeted for data breaches? What have been the latest trends and issues causing them? What is likely to take place next year, and the months after that? And while there are reports on the topic, it is often repeated and reported to readers by journalists. For instance, a new white paper or story that has trends and statistics related to data breaches are likely to be reported across media by multiple companies. A wide range of white papers published by reputed corporations from the Ponemon Institute, Privacy Rights Clearinghouse, Symantec, Verizon and a host of others publish reports on data breaches, internal data on companies involving data security and breach response and surveys. These are circulated for months, and the same information is used by almost every paper that reports a data breach.
Having said that, information about data breaches is still limited. Very few are developed under the stringent guidelines of a peer-reviewed setting. And given the issue of data breaches that go unreported, also known as dark breaches, there could be intrinsic bias in the published reports that come out each year. Unfortunately, this is rarely mentioned in the press.
Let’s now understand the most common way in which data is sourced.
Public records: It can be easy to trust reports and studies based on public records of data infringements. Specific government bodies are required by law to issue a list of data violations of unsecured yet safeguarded health data. Besides, non-profit agencies collect statistics regarding data breaches from government agencies or verified media sources in order to make these reports available to the public. But since a published data breach only represents a tiny subset of the numbers that took place — a small one at that — the intrinsic restrictions of analyzing this information then becomes visible.
For instance, a 2015 report on data breaches from cybersecurity company Trend Micro was based on the information provided by the non-profit agency, Privacy Rights Clearinghouse database. The information that this non-profit agency received was through government statistics on data breaches.
So, if the media begins to report and focus on one particular sector— say for instance, “healthcare is the biggest hacking target followed by the retail industry and government”, it can be tricky to know whether the healthcare sector is really a target. This is because this information may have been published in more than one report. Could it be that the healthcare industry merely reports data breaches more often than other sectors? Since healthcare providers have to follow stringent regulations concerning data breach notifications as compared to other industries, we may perceive that the healthcare sector is actually the target.
Although more significant numbers of data breaches could mean there is an increase in actual data breach incidences, this trend could also be the result of:
- Enhancements in intrusion detection systems
- New and improved notification laws aligned with expectations of data privacy from the public
- Efficient third-party networks and audits that hold companies responsible for data breaches
- Improved processes and procedures with regards to incident responses
- The rise of data breach insurance coverages
A data breach can have potentially disastrous consequences, including financial impacts, reputation and operational damages. The three main reasons why a data breach must be reported include:
- The data infringement has already been made public or is likely to go public. In most data breach announcements that hit the headlines, it can be seen that they are most likely to be reported by an investigative reporter or involve confidential data that has only been publicly exposed. An affected organization typically reports a data breach because, in such cases, it is already leaked.
- A clear legal requirement to report. Failure to report data breaches could harm the organization in the form of fines. Besides, if the data breach is improperly reported, it could also attract civil and criminal charges. And while a breached organization may not be inclined to inform the public, the legal requirement means it is an added reason to do so.
- The data breach that has taken place is at a high risk of being misused. A breached organization could be liable for damage if the information stolen or hacked from the company is out for sale in the dark web or there is proof that the stolen data could be replicated or used for unlawful gains.
In the light of serious implications involving a data breach, it only makes sense for every individual, entity or organization with confidential data to secure to opt for a proactive and preventative data security solution such as digital rights management. Given its persistent, forward-looking, safe and automated data-centric technology, DRM takes a proactive approach in safeguarding your confidential documents and information by instituting barriers to prevent cybercriminals from stealing your content. With DRM, you can secure your sensitive documents and data wherever it travels, be it your trade secrets, intellectual property and more.
