The GDPR understands ‘personal data breach’ as a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. By nature, ‘data breach’ is a type of information security incident where personal data are involved; in other words, all breaches are incidents, but not all incidents are data breaches.

According to the 2021 IBM’s security report, the average total cost of data breach in 2021 amounted to $4.24 million, while the cost per individual record lost or compromised was $180.

In fact, the expenditures and losses resulting from data breaches are even higher, taking into account potential regulatory fines, costs payable to affected individuals, loss of businesses, reputational damage, as well as follow-up investigations scrutinizing company’s information security practices.

But how do data breaches normally occur? The leader among root causes is malicious or criminal activity, with human errors and system glitches being the runner-ups in this list. In other words, human errors are one of the main reasons why data breaches occur. If to pair it up with data breaches that happened due to social engineering attacks using psychological manipulations, then it would be fair to say that causes of many data breaches lay within the human factor. This is why the importance of training and awareness campaigns built around information security policies and practices should not be underestimated when it comes to reducing the risk of a data breach.

In general, prevention of data breaches should focus on techniques and technologies that prevent data breaches from happening. In addition to prevention, preparedness is just as significant. Preparedness steps in when prevention fails and and basically answers the question “What does the company do when prevention fails?”.

Preparedness itself can be divided into following channels (directions):

(1) Training and awareness around information security policies and practices

DPOrganizer has published a stand-alone article dedicated to general training and awareness campaigns. When it comes to data breaches, everyone in the organisation has to receive training of a specific type. Vast majority of employees only have to know how to identify data breach and how to properly react – this message can be built into, e.g., an onboarding privacy training which is further reinforced by awareness messaging. Others will need a deep-dive role-based specific training – e.g., members of incident response and incident management teams and groups, different system owners, and service desk managers handling messages about data breaches in the first instance. Forms of training might include formal training sessions, videos, e-learning courses and quizzes, table-top exercises, simulation of an actual incident (e.g., circulating a fake phishing email).

(2) Developing an incident response plan (IRP) to handle information security incidents and data breaches

Drafting of an IRP requires team efforts, normally this process is headed by privacy and/or legal teams which are then assisted by HR, IT, communications and other stakeholders as necessary. A comprehensive and well-designed IRP should provide a clear roadmap for employees in an organisation to follow in case a data breach occurs. In particular, an IRP normally should include the following:

• clear definition of roles and responsibilities of the main stakeholders involved – this means that those stakeholders should be well understood and managed and then duly trained, thus ensuring that everyone understands who is responsible for what if a data breach occurs
• rules for internal reporting and escalation
• methodology for the assessment of severity and likelihood of risks for the rights and freedoms of the data subjects involved, assessment calculators and tools
• procedures for communicating with external parties such as regulators, vendors, investigators, and insurance providers
• integration with business continuity plans (BCPs), if relevant – although BCPs normally cover the aftermaths of natural or technological, or human-centered disasters, extensive data breaches might lead to similarly extensive implications, and this is why it might make sense to integrate IRP into BCP
• process for analyzing and learning from the incident after it has occurred

(3) Managing vendors who may be involved in an incident

Having a proper understanding of what personal data processors (vendors) store, how they use it, and what their incident response plans are in case of a data breach is critical. This implies much more than just examining contracts. In fact, data breach prevention and preparedness forms an important part of the ‘due diligence’ assessment that a data controller must perform in respect of a potential data processor pursuant to the GDPR Article 28.  For vendors who possess critical information, it may be necessary to conduct a thorough investigation to gauge their level of readiness and guarantee their cooperation in the event of an incident.

(4) Obtaining suitable insurance covering cases of data breaches

Insurance could potentially provide financial support to mitigate expenses associated with data breach events. Some insurance companies already offer so-called ‘cyber-liability’ type of insurance which is designed to cover the majority of losses and expenditures resulted from data breaches (e.g., costs related to data breach notifications, fees of external counsels, costs of investigations, etc.).

When assessing coverage options, it is essential to note that insurance companies may require you to fill out questionnaires concerning your current level of security incident preparedness. Before providing this information to an external insurance company, it is of high importance to align with the legal department (and also with IT and Information Security departments, as relevant).