There are continued breaches of data privacy, and according to Omdia's Security Breaches Tracker, approximately two-thirds of security breaches involve data exposure, many of these of personally identifiable information (PII). Data Privacy Day serves to highlight the inadequacies of data protection and to support the confidentiality of information.
Omdia's Cybersecurity Decision Maker survey, conducted in the second quarter of 2022, found that 32% of organizations are "extremely confident" in their organization's security controls, and a further 58% describe themselves as "reasonably confident." However, this confidence is likely misplaced. The same survey found that 77% of organizations have suffered numerous security incidents and breaches, some with a severe impact on the organization. Realistically, strong security controls should be preventing some of these incidents and breaches.
Some of these security breaches are included in Omdia's Security Breaches Tracker. This data looks at the leading outcome of security breaches, and in the breaches reported during the first nine months of 2022, for 66% of breaches tracked this was data exposure. Looking back at the historical data to 2019, we see that approximately two-thirds of breaches have consistently resulted in data exposure: 68% in 2021, 67% in 2020, and 64% in 2019. Thus, it is not a stretch to say that organizations will continue to fail customers' data privacy expectations.
Not a One-and-Done Task
Better cyber hygiene would result in few breaches of data privacy; however, cyber hygiene is not a one-and-done task. Cyber hygiene can be defined as the good practice that all organizations can follow to minimize the opportunity for cybersecurity incidents to materialize. Examples include timely patching, password management, backups, and much more.
Cyber hygiene requires constant review and updating, because malicious actors are also constantly reviewing and updating their offensive capabilities. Attacks range from ransomware-as-a-service (RaaS) to highly sophisticated nation-state and organized criminal group attacks — a significant threat landscape.
Other factors challenging good cyber hygiene include: the omnipresent security workforce shortage, that organizational data is frequently spread far and wide with no proper handle on all the locations, gray areas of responsibility when it comes to actions such as patching, the complexity of cybersecurity, and more.
Failures in cyber hygiene can lead to opportunities for breaches of data privacy. Not only does this erode customer trust in the organization, it also opens the organization to potential regulatory breaches and fines.
Data privacy legislation has been enacted around the world, and there are plenty of examples of breaches of data privacy legislation. A significant fine of €390 million was issued to Meta (which owns Facebook) for breaking EU data laws on using personal data to deliver targeted advertisements. The ruling rejected Meta's argument that when people engage with social media platforms, such as accepting terms and conditions, they are actually agreeing to receive personalized ads. The ruling was made this month (January 2023), and Meta plans to appeal the decision.
Some consumers are becoming more savvy about their data and how it should be kept private. However, apathy and lack of knowledge are also evident among customers when it comes to data privacy: Many are not always aware of what they are signing up for or don't care about what they are signing for because they get something for free.
In many parts of the world, if a company discovers a breach of data privacy regulations, it must inform its customers and support them. There are, however, many organizations that take their time to report breaches, and especially if they have not created a playbook for such a situation, they may struggle to follow the right and appropriate rules, handle any press inquiries, deal with ransomware demands, and so on.
Take It Personally
It is incumbent upon those responsible for data privacy at an organization to look after their customers' data in the same way that they would expect other organizations to look after personal data about them. There is no doubt that maintaining data privacy is a challenge, but it must be tackled head on as a component of winning and maintaining customer trust. Data Privacy Day serves to remind everyone that data is precious and must be looked after.
In no small part, data security focuses on maintaining data privacy. Data security is essential to the fundamental ideas of information ownership, which are dependent on a comprehensive strategy and are made up of three primary elements.
The first of these elements is data discovery, needed to successfully locate information assets that may require protection. The second element is data governance, necessary to ensure that data is managed properly while internal policies are adhered to and external compliance requirements are met. Finally, data protection is essential to prevent information from being accessed or potentially compromised by unauthorized parties.
Ultimately, organizations must focus on data security to have a hope of maintaining the confidentiality of the information they are responsible for, thus adhering to data privacy regulations and expectations.