Enterprise cybersecurity technology research that connects the dots.

On Data Privacy Day, Organizations Fail Data Privacy Expectations

Data Privacy Day rolls around year after year, and data privacy breaches likewise. Two-thirds of data breaches result in data exposure.

Maxine Holt, Research Director, Omdia

January 27, 2023

4 Min Read
A white, metal "private" sign attached to a chain.
Source Chris Sansbury via Pixabay

There are continued breaches of data privacy, and according to Omdia's Security Breaches Tracker, approximately two-thirds of security breaches involve data exposure, many of these of personally identifiable information (PII). Data Privacy Day serves to highlight the inadequacies of data protection and to support the confidentiality of information.

Omdia's Cybersecurity Decision Maker survey, conducted in the second quarter of 2022, found that 32% of organizations are "extremely confident" in their organization's security controls, and a further 58% describe themselves as "reasonably confident." However, this confidence is likely misplaced. The same survey found that 77% of organizations have suffered numerous security incidents and breaches, some with a severe impact on the organization. Realistically, strong security controls should be preventing some of these incidents and breaches.

Some of these security breaches are included in Omdia's Security Breaches Tracker. This data looks at the leading outcome of security breaches, and in the breaches reported during the first nine months of 2022, for 66% of breaches tracked this was data exposure. Looking back at the historical data to 2019, we see that approximately two-thirds of breaches have consistently resulted in data exposure: 68% in 2021, 67% in 2020, and 64% in 2019. Thus, it is not a stretch to say that organizations will continue to fail customers' data privacy expectations.

Not a One-and-Done Task

Better cyber hygiene would result in few breaches of data privacy; however, cyber hygiene is not a one-and-done task. Cyber hygiene can be defined as the good practice that all organizations can follow to minimize the opportunity for cybersecurity incidents to materialize. Examples include timely patching, password management, backups, and much more.

Cyber hygiene requires constant review and updating, because malicious actors are also constantly reviewing and updating their offensive capabilities. Attacks range from ransomware-as-a-service (RaaS) to highly sophisticated nation-state and organized criminal group attacks — a significant threat landscape.

Other factors challenging good cyber hygiene include: the omnipresent security workforce shortage, that organizational data is frequently spread far and wide with no proper handle on all the locations, gray areas of responsibility when it comes to actions such as patching, the complexity of cybersecurity, and more.

Failures in cyber hygiene can lead to opportunities for breaches of data privacy. Not only does this erode customer trust in the organization, it also opens the organization to potential regulatory breaches and fines.

Data privacy legislation has been enacted around the world, and there are plenty of examples of breaches of data privacy legislation. A significant fine of €390 million was issued to Meta (which owns Facebook) for breaking EU data laws on using personal data to deliver targeted advertisements. The ruling rejected Meta's argument that when people engage with social media platforms, such as accepting terms and conditions, they are actually agreeing to receive personalized ads. The ruling was made this month (January 2023), and Meta plans to appeal the decision.

Some consumers are becoming more savvy about their data and how it should be kept private. However, apathy and lack of knowledge are also evident among customers when it comes to data privacy: Many are not always aware of what they are signing up for or don't care about what they are signing for because they get something for free.

In many parts of the world, if a company discovers a breach of data privacy regulations, it must inform its customers and support them. There are, however, many organizations that take their time to report breaches, and especially if they have not created a playbook for such a situation, they may struggle to follow the right and appropriate rules, handle any press inquiries, deal with ransomware demands, and so on.

Take It Personally

It is incumbent upon those responsible for data privacy at an organization to look after their customers' data in the same way that they would expect other organizations to look after personal data about them. There is no doubt that maintaining data privacy is a challenge, but it must be tackled head on as a component of winning and maintaining customer trust. Data Privacy Day serves to remind everyone that data is precious and must be looked after.

In no small part, data security focuses on maintaining data privacy. Data security is essential to the fundamental ideas of information ownership, which are dependent on a comprehensive strategy and are made up of three primary elements.

The first of these elements is data discovery, needed to successfully locate information assets that may require protection. The second element is data governance, necessary to ensure that data is managed properly while internal policies are adhered to and external compliance requirements are met. Finally, data protection is essential to prevent information from being accessed or potentially compromised by unauthorized parties.

Ultimately, organizations must focus on data security to have a hope of maintaining the confidentiality of the information they are responsible for, thus adhering to data privacy regulations and expectations.

About the Author(s)

Maxine Holt

Research Director, Omdia

Maxine leads Omdia's cybersecurity research, developing a comprehensive research program to support vendor, service provider, and enterprise clients. Having worked with enterprises across multiple industries in the world of information security, Maxine has a strong understanding of the Office of the CISO, the security challenges CISOs face, and how organizations can look to overcome these challenges.
Before rejoining Omdia (as Ovum) in 2018, Maxine spent over two years at the Information Security Forum (ISF) developing research in areas including Protecting the Crown Jewels and Securing Collaboration Platforms. Prior to the ISF, Maxine spent 15 years at Ovum covering topics including security, human capital management, and identity and access management. Maxine has a particular interest in how all the component parts of security combine to make up an organization's security posture. She focuses specifically on the Office of the CISO.
Maxine started her career as a software developer in the financial services industry. She gradually progressed into a systems analyst role and then moved into consulting for the financial services and Internet sectors. Maxine is a regular speaker at events and writes a monthly Computer Weekly article covering various aspects of information security.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights