What is a Data Breach? It’s a security breach that results-accidentally or unlawfully-in the destruction, loss, modification, unauthorized disclosure of data.

Most common data breach causes and examples

A data breach may compromise the confidentiality, integrity, or availability of confidential data and can trigger major consequences for employees in the workplace and for the integrity of the company itself.

Some possible examples:

  • The access or acquisition of data by unauthorized third parties;
  • the theft or loss of computer devices containing personal data;
  • the deliberate alteration of personal data;
  • the inability to access data due to accidental causes or external attacks, viruses, malware, etc.; and 
  • the loss or destruction of personal data due to accident, adverse event, fire or other calamity;
  • the unauthorized disclosure of personal data.

Faced with the high number of cyberattacks recorded in recent times in our country as well, it is important to call the attention of public administrations and businesses.

It is crucial to invest in security and provided guidance, in particular, on how to defend against ransomware and data breach, software that takes an electronic device “hostage” and then “frees” it upon payment of sums of money.

Most relevant data breaches in 2021

Significant in this regard is the number of data breaches notified in 2021 by public and private entities: 2071 (with an increase of even about 50 percent compared to 2020), many of which related to the dissemination of health data that also led to sanctions.

Interventions by the Authority in this area also involved large social platforms such as Facebook and LinkedIn.

There were 72 opinions rendered by the College on regulatory and administrative acts and they covered: health care; taxation; justice; education; digitization of public administration; and public interest functions.

There were 12 notifications of reports of offenses to the judicial authorities, and they concerned violations in the areas of remote control of workers; abusive access to computer or telematic systems; unlawful data processing; false statements; and non-compliance with the Guarantor’s orders.

There were 49 inspections carried out in 2021, having been impacted by the pandemic emergency.

The inspections carried out, also with the contribution of the Guardia di Finanza’s Special Unit for Privacy Protection and Technological Fraud, covered various sectors, both in the public and private sectors: in particular, electronic invoicing; database providers; domestic video surveillance; reputational databases; marketing and profiling; data breach; and food delivery.

Notification to The Italian Data Protection Authority
Source: The Italian Data Protection Authority

Data breach: how to prevent it

Ensuring the security of an information system is not 100% achievable. Companies are required by the legislature itself to independently choose an appropriate security system in relation to the confidentiality, type and volume of data processed.

Agid’s Guidelines for Public Administration can be a useful reference point to implement minimum/standard/advanced security measures and check the positive or negative gap with respect to your company.

To prevent a data breach you need to work well in the early stages of the process of identifying the appropriate protection measures.

On the other hand, to be ready to respond in the event of a cyberattack, it is useful to use the outcomes of the data census and risk analysis phases to effectively implement (low-cost) Forensic Readiness systems.

Consequences for companies

Ninety-three percent of attacks last less than a minute, but companies also take several weeks before they discover it.In the meantime, the data breach, if the data is not well protected, can lead to troubling consequences. Here is what a company risks if it does not adequately protect its data:

  • Loss of revenue

Rather common is reduced business for the company resulting in a significant loss of revenue.

  • Reputational damage

The damage can also affect earnings in the long run: those who fall victim to the data breach will hardly place their trust in the brand in question again, then spread their opinion to their colleagues and friends. A good corporate reputation, once lost, becomes difficult to recover.

  • Loss of intellectual property

The target of an attack is not only the private data of a customer or employee, but also confidential corporate information such as strategies, plans, design ideas, etc. The companies most susceptible to intellectual property theft are construction and manufacturing companies, but small businesses are not safe either.

  • Hidden costs

The obvious costs due to lost revenue are only part of the whole: among the expenses to be counted are the more or less substantial administrative fines to be paid, the legal liability to those affected, and the possibility that hackers will not only limit themselves to malicious actions against hacked users, but also against their contacts.

The incident management team

One way for organizations to mitigate the risks and costs of a data breach is to prepare a strategy for managing and responding to such events. Simply put, prepare for the eventuality.

Research conducted by the Ponemon Institute indicates a possible reduction in the cost of a data breach of up to 35% for those organizations that have an incident management team and a management plan that is subject to periodic review.

The composition of the team depends first and foremost on the organizational context (e.g., size, resources, and expertise) but can also vary with the nature and circumstances of the breach.

In some circumstances, the support of external experts (e.g., lawyers, forensic specialists, etc.) may be useful or necessary.

It is therefore important for organizations to identify what expertise they may need and how they can arrange for such services when needed.