In this blog post
What is a data breach?
It is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. Data breaches can hurt businesses and consumers in various ways. Globally, the average total cost to a company of a data breach is $3.86 million, according to a study by the Ponemon Institute.
Circumstances under which a data breach might occur
Accidental Insider – For example an employee using a co-worker’s computer and reading files without having the proper authorization permissions. The access is unintentional, and no information is shared. However, because it was viewed by an unauthorized person, the data is considered breached.
Malicious Insider – Purposely accesses and/or shares data with the intent of causing harm to an individual or company. The malicious insider may have legitimate authorization to use the data, but the intent is to use the information in harmful ways.
Lost or Stolen Devices – An unencrypted and unlocked laptop or external hard drive that contains sensitive information goes missing.
Malicious Outside Criminals – Hackers who use various attack vectors to gather information from a network or an individual.
In the instance of a data breach, the GDPR and the CCPA outlines specific protocols that businesses must follow. Businesses must report data breaches within 72-hours of its occurrence. The reporting must be made to the supervising authority to better protect the individual.
Data breaches are inevitable, and it is only smart to be prepared in case of an imminent data breach, following appropriate control measures is the key to safeguarding personal data. The following is an illustration that describes the process flow in managing a typical data breach.
What is a Data Breach notification?
When there is an unauthorized access to personal data of consumers, the organization will send a data breach notification within 72 hours of breach.
Why is it mandatory to send a breach notification?
According to Privacy Rights Clearinghouse report, the number of data compromised vs the number of data breach made public is high. The growing problem led to the implementation of data breach notification. California was the first state to implement the data breach notification in 2002. Since then, forty-five states have incorporated their own data breach notification legislation.
What message does a data breach notification contain under CCPA?
(1) indicate who is issuing the notification
(2) a general description of the breach
(3) identification of what information was involved in the data breach
(4) where there was a delay in providing the notification due to an investigation by law enforcement
(5) what the entity is doing to resolve the problem
(6) what victims can do to protect themselves
(7) where to find more information about the data breach
What happens if a breach notification is not sent within 72 hours under CCPA?
The company must pay a penalty of $100 to $750 per consumer, per incident/ $2500 to $7500 per violation.
Data breaches are unavoidable but, the organization should follow the protocols issued under CCPA to avoid penalties and legal issues. CCPA is undoubtedly one of the most comprehensive regulations. It is crucial for businesses to have data breach management plan so that under the pressure of incident relevant decisions can be made to bring the situation back under control. At GS Lab | GAVS, we take a holistic approach on staying compliant with Privacy laws and helps client by providing them the robust data breach management plan.