A data breach is a type of privacy incident that happens whenever an unauthorised person could have gotten access to someone else’s personal information. They are the result of failing to protect personal information. We believe that people and organisations need to protect personal information to prevent other people and organisations from suffering real harm. Harm is any damage that the data breach causes.
Why do data breaches cause harm?
Data breaches and other privacy incidents damage organisation’s public reputations, existing relationships, and prospects of getting new business because:
- they have the potential to expose personal information in a public or semi-public way; and
- the mere prospect of having your personal information exposed affects how you behave.
For example:
Imagine that you are dancing by yourself in your living room. You would probably be fairly uninhibited, not overly self-conscious, and fairly relaxed. Now imagine that you knew there was a surveillance camera in your living room from which your security company could watch you dance. You would have no way of knowing whether they are actually watching you or not at any given moment, but there is always the possibility that they could be. I’m sure you’d dance a little less enthusiastically, that is – if you continued to dance at all.
There is an excellent TED talk where Glenn Greenwald uses the dancing analogy to explain why privacy matters:
In the same way, there is always a possibility that an unauthorised person could have accessed your data subject’s personal information in a data breach. You may not even have any way of knowing whether or not they have.
How do data breaches cause harm?
Public backlash and data privacy legislation punishes the responsible organisation. Data breaches cause harm to the organisations responsible for them by:
- Eroding confidence from customers – existing customers probably won’t want to carry on doing business with anyone who has failed to protect their personal information;
- Ruining reputations for new business – new leads or prospects will avoid a vendor or service provider who has a reputation for causing data privacy incidents;
- Sowing distrust in a workforce – employees are unlikely to trust someone who has caused their personal information to become compromised and may no longer want to work for them;
- opening themselves up to disciplinary or corrective action from the Regulator – who will have extensive powers when POPI commences;
- making themselves liable for class actions – where an affected portion of the public bands together and sues them; and
- requiring themselves to adopt rigorous and expensive information security standards going forward – to prevent more breaches from happening.
What harm have data breaches caused?
A cautionary example of the harm that data breaches can cause is the TJX case from the United States. They are a clothing retailer with many brick-and-mortar stores. One Christmas, unauthorised people gained access to the WiFi network in once of the stores and managed to access customer credit card information:
- The organisation failed to protect personal information and hackers accessed data from more than 45 million customer credit cards;
- Approximately 25% of the people affected by data breaches in the US generally become victims of identity theft;
- The incident cost the company an estimated $246 million in settlements; and
- The company has to maintain a rigorous information security plan and be professionally audited for compliance for the next 20 years as a result.
It is clear that incidents like this cause people and organisations real harm.
What can you do about it?
You can:
- do your best to guard against data breaches by having appropriate information security; and
- be ready to handle data breaches with an Incident Response Policy.
Interested?
If you are interested, please complete the form on the right or enquire now. We will contact you to find out more about your requirements and give you a quote.
