Data Breach & PII Breach

Primary reference(s)

European Commission, no date. What is a data breach and what do we have to do in case of a data breach? Accessed 31 October 2024

Annotations

Key relevant UN convention / multilateral treaty

International legal instruments addressing data breaches include the Council of Europe's Convention on Cybercrime (Budapest Convention), which facilitates international cooperation in combating cybercrime, including unauthorized access and data interference.

Additionally, numerous national and regional regulations deal with personal data breaches, like the European Union's General Data Protection Regulation, the California Consumer Privacy Act, the Canadian Personal Information Protection and Electronic Documents Act, etc.

Drivers

Lack of cybersecurity investment, Human error, Third-party risk, Increasing attack surface via APIs. Future breaches are likely to focus on major tech companies that handle large customer bases and significant amounts of sensitive data. This increased targeting stems from factors such as the widespread use of APIs, the growth of data digitization, and undetected zero-day vulnerabilities. 

Impacts

In 2023, the landscape of global data breaches significantly intensified from previous years, including a 72% increase in the number of data compromises over the previous high in 2022 (WEF, 2024). 

Despite the rise in breaches, breach notifications are becoming more unclear. In 2022, 66% of public notices in the United States did not provide information on the affected victims or the specifics of the attack, mainly due to the lack of national privacy laws. Additionally, post-breach services, such as credit monitoring, often fail to align with the recommended steps to reduce the risk of future exposures and breaches (WEF, 2023). 

Multi-hazard context

The consequences of data breaches can be severe, leading to financial losses, reputational damage, legal and regulatory implications, operational disruption, and harm to individuals (identity theft, privacy violations etc) or organisations. Data breaches can expose organisations and individuals to further hazards such as increased cybersecurity threats e.g. malware, data manipulation (disrupting operations/triggering misinformation etc.), and supply chain disruption (to third-party vendors and partners resulting from a cascade of security issues across interconnected systems).

Risk Management

To effectively address and mitigate these risks, organizations should take proactive steps to protect consumer information and define clear, actionable key performance indicators. Companies should be encouraged to implement customer multi-factor authentication services and collaborate to establish industry standards. Insurers and regulators can promote awareness and reduction of data breaches by offering incentives to organizations that prioritize consumer data protection and enterprise security. Cyber insurance can support this approach by providing lower premiums, free pre-breach services, and ongoing underwriting that adapts to changing threats and evolving cyber risk management practices. 

The most appropriate strategy to mitigate the risk of a data breach depends on how the attack is carried out.  

• Credential Theft Attacks: Implementing strong password policies and multi-factor authentication (MFA), alongside using password managers and regularly updating credentials (Kost, 2024).
• Phishing Attacks: Conducting regular employee training and awareness programs and Implementing email security measures like anti-spoofing and encryption.
• Vulnerability Exploitation: Maintaining a robust patch management system, conducting regular vulnerability assessments and penetration testing, and Implementing network segmentation to isolate critical systems. 

Monitoring

Not available