Data Breach

A data breach occurs when confidential, sensitive, or protected information is accessed, disclosed, or exfiltrated without authorization. Data breaches can result from cyberattacks, insider threats, misconfigured systems, lost devices, or human error. The consequences include regulatory fines, legal liability, reputational damage, and loss of customer trust.

Types of Data Breaches

• Unauthorized access — An attacker gains access to systems containing sensitive data through stolen credentials, exploited vulnerabilities, or social engineering
• Accidental exposure — Data is unintentionally made public through misconfigured cloud storage, email errors, or improper disposal
• Insider threat — An employee or contractor intentionally or negligently exposes data
• Physical theft — Devices containing unencrypted sensitive data are stolen or lost

Notification Requirements

Compliance frameworks impose strict notification obligations:

GDPR requires notification to the supervisory authority within 72 hours of becoming aware of a breach involving personal data. If the breach poses a high risk to individuals, they must also be notified directly.

HIPAA requires covered entities to notify affected individuals within 60 days. Breaches affecting 500 or more individuals must also be reported to the HHS and media.

PCI DSS requires organizations to have an incident response plan that includes notification procedures for payment card brands and acquiring banks.

SOC 2 evaluates whether organizations have incident response procedures that include breach detection, response, and notification processes.

Prevention and Preparedness

Encrypt sensitive data at rest and in transit. Encryption renders stolen data unreadable and may reduce notification obligations under some regulations.

Implement strong access controls. Limit access to sensitive data to only those who need it. Monitor access patterns for anomalies.

Maintain an incident response plan. A documented, tested plan dramatically reduces breach response time and associated costs. Organizations with tested response plans save an average of $2.66 million per breach according to industry reports.

Classify your data. You cannot protect what you have not identified. Data classification ensures appropriate controls are applied based on sensitivity levels.