What is a Data Breach? (And How Vulnerable is Your Business?)

The landscape for preventing, responding to, and avoiding the fines and other costs associated with data breaches has changed in the last three years. Since the beginning of the pandemic, data breaches have been on the rise across all industries and companies of any size. At the same time, the European Union, countries in other parts of the world, and a growing number of US states have implemented regulations to ensure the privacy and protection of customer and patient data held by businesses. Together, these trends create an environment of increased risk that every business needs to defend against.

What is a Data Breach?

A data breach occurs when sensitive information is stolen from a business using a variety of online criminal activities. Most often, the data stolen is related to customers or patients and can include their credit card numbers, birthdate, street address, and other personally identifiable information (PII) that can be used to commit fraud against both the company and the customer. However, the stolen data can also include proprietary business data and trade secrets that can be used to create a competitive threat.

The Impact of a Data Breach

A data breach creates several different layers of financial impact for companies, including the cost of recovering from the incident, the cost to reputation, and the cost of lost future business.

When information has been stolen, all affected customers, regulators, and third parties must be notified in accordance with local regulations. The origin of the breach must be found and resolved. Finally, a forensic investigation should reveal how the breach occurred as well as any relevant processes, training, and other changes necessary to prevent future breaches.

The relevant regulatory agency may also investigate the event and impose fines and corrective actions if the company is found negligent in its protection and handling of customer data. Since the implementation of the GDPR, a total of over $2.75 Billion in fines have been levied to a broad range of notable companies for noncompliance, including Amazon, Marriott International, and British Airways.

Providing customer redress is an essential element of any recovery plan. This can include maintaining communication with customers and providing them with identity protection services to rebuild their trust in the business.

Company Reputation and Future Business 

The organization’s incident response will affect the degree of impact on business reputation—along with how negligent customers and regulators truly believe the company’s data protection was in the first place. Companies can become the subject of headlines, incur fines, and see a drop in the value of their stock prices. Customers may shy away from companies that have experienced data breaches.

No matter how well a business responds to a breach, prospective customers may only remember that the breach occurred and look elsewhere for the products and services they need. Ultimately, a strong incident response plan can help your company respond quickly and efficiently to a data breach, minimizing the reputational impact and protecting your future business prospects

Three Ways to Protect Data

While no protection plan is foolproof, there are some ways your business can defend itself. And although some of these may seem fairly straightforward, it’s often the simple things like a delayed update or a poorly trained employee who responds to a phishing email that undermines otherwise secure data protection.

Here are three basic ways to protect data:

1. Keep your software up-to-date. Hackers exploit software flaws and weaknesses, so it’s important to apply upgrades and patches as soon as they are released.
2. Ensure your network is secured from the perimeter to user devices. Measures to stop unauthorized access at your perimeter can include firewalls, intrusion prevention and detection solutions, and access control lists. Methods of protecting laptops, smartphones, server stacks, and other user and endpoint devices can include managed antivirus software, web filtering, limiting access to different network areas to employees with a legitimate business need to know, virtual private network (VPN) software, and encrypting data and email—both when they’re stored and when they’re being moved between endpoints. Advanced threat detection tools can monitor your entire network and use AI to identify unusual user and system anomalies that could indicate a data breach is in process.
3. Train your employees (and contractors). Employees and contractors are a known weak spot in any company’s data protection strategy. While most breaches caused by employees and contractors are accidental, it’s essential to train them to avoid phishing, malware, and other access scams, properly protect data; and comply with the organization’s security policies and procedures. This training should be regular and mandatory and may contain continuous elements such as periodically sending fake phishing or malware emails to see how employees react.

Consider Cyber Liability Insurance 

If you fall victim to a data breach, even general liability or property liability policies that include coverage for cyber risks can leave your business exposed. Modern cyber liability insurance is designed to get your business back up and running quickly, paying for costs such as lost profits and fixed expenses during downtime or legal expenses and IT forensic costs incurred to respond to data theft.

For more insights into cyber coverage, be sure to check out:

• Woodruff Sawyer’s Looking Ahead Guide to Cyber Liability Insurance Concerns in 2022
• How to Buy: The Cyber Liability Insurance Buying Guide
• Cyber 101: Understand the Basics of Cyber Liability Insurance