A data breach is a security incident during which sensitive, protected, or confidential data has been accessed or exposed to unauthorized entities. Data breaches occur in organizations of all sizes, from schools to small businesses to enterprise organizations. These incidents may expose protected or personal health information (PHI), personally identifiable information (PII), intellectual property, classified information, or other confidential data.
Some types of protected personal information include:
- Driver’s license numbers
- Medical records
- Financial records
- Social security numbers
- Criminal records
For businesses, sensitive data may also include customer lists, source code, credit and debit card information, user data, and other sensitive information.
Data breaches may be caused by different types of cyberattacks, such as malware, viruses, phishing attacks, ransomware, or theft of physical devices. Data breaches may also be due to misconfigurations, unpatched security vulnerabilities, malicious insiders, or other types of insider errors. Allowing unauthorized individuals into a building or floor, attaching or sharing the wrong document, or even copying the wrong person on an email all have the potential to expose data and result in a significant data breach.
Many industries, particularly the financial and healthcare industries, mandate controls of sensitive data. Industry guidelines and government regulations increasingly require strict controls, disclosure rules if a breach occurs, and penalties or fines for organizations that fail to safeguard the data in their care.
The Payment Card Industry Data Security Standard (PCI DSS) applies to financial institutions and businesses that handle financial information. The Health Insurance Portability and Accountability Act (HIPAA) regulates who has access to view and use PHI in the healthcare industry.
The General Data Protection Regulation (GDPR) in the European Union increases individuals’ control and rights over their personal data and includes the potential for significant fines for organizations found not to be in compliance with the regulation. Other countries also have significant regulations regarding data protection. The United States has several laws at the federal and state levels intended to protect the personal data of U.S. residents.
Negative impacts to a business due to a data breach include fines; costs related to investigating, mitigating, and recovering from the incident; reputation loss; litigation; and possibly even the inability to operate the business.