Data Breach
Primary reference(s)
ICO, no date. Personal Data Breaches. Information Commissioner’s Office (ICO). Accessed 30 April 2021.
Additional scientific description
The Ponemon Institute defined a data breach as an event in which an individual’s name and a medical record and/or a financial record or debit card is potentially put at risk – either in electronic or paper format (Ponemon Institute, 2017). They identified three main causes of a data breach: malicious or criminal attack, system glitch or human error (Ponemon Institute, 2017). The costs of data breach vary according to the cause and the safeguards in place at the time of the data breach. Metrics and numeric limits Not available globally.
Metrics and numeric limits
Not available globally.
Key relevant UN convention / multilateral treaty
Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Strasbourg 1981. The Council of Europe (CoE) convention on cybercrime also known as the Budapest Convention is the only binding international treaty on this issue. At the time of writing the total number of countries that had ratified the convention was 64 and includes both CoE members and non-members (CoE, 2001).
The Sustainable Development Goals International Telecommunications Union Global Cybersecurity Index (GCI) is a trusted reference that measures the commitment of countries to cybersecurity at a global level – to raise awareness of the importance and different dimensions of the issue. As cybersecurity has a broad field of application, cutting across many industries and various sectors, each country’s level of development or engagement is assessed along five pillars – legal measures, technical measures, organisational measures, capacity building, and cooperation – and then aggregated into an overall score (ITU, 2020a).
Examples of drivers, outcomes and risk management
Cybersecurity threats and attacks are growing rapidly, these can be viruses, worms, Trojan horses, spoofing attack and identity theft (ITU, 2008). In 2017, the UN released its second Global Cybersecurity Index (GCI), and the International Telecommunication Union (ITU) reported that about 38% of countries have a published cybersecurity strategy and an additional 12% of governments are in the process of developing one (United Nations, 2017; ITU, 2020a).
The ITU reports that cybersecurity remains high on Sustainable Development Goal study group 17’s (SG17) agenda (ITU, 2020b). In addition, SG17 is coordinating security standardisation work covering combating counterfeit and mobile device theft, IMT-2020, cloud based event data technology, e-health, open identity trust framework, Radio Frequency Identification (RFID), and Child Online Protection. ITU-T’s Cybersecurity Information Exchange (CYBEX) offers tools to ensure rapid, internationally coordinated responses to cyber threats. The ITU-T X.1500 CYBEX ensemble of techniques is a collection of best-of-breed standards from government agencies and industry. It presents a standardised means to exchange the cybersecurity information demanded by Computer Incident Response Teams (CIRTS) and is an essential tool to prevent the contagion of cyberattacks and data breach from nation to nation (ITU, 2020b).
The US Ponemon Institute has been conducting an annual review of the cost of data breach over the past few years. In their 2017 Cost of Data Breach Study: Global Overview, they revealed that the average cost to companies of a data breach was USD 3.62 million (Ponemon Institute, 2017). Given that major sectors including healthcare, finance, retail, and e-commerce are among regular targets of data breaches, preventative and timely protection measures are vital.
An example of a data breach occurred in 2017 (Wang and Johnson, 2018). Equifax had a corporate data breach and the unauthorised personal information of 140 million customers including sensitive personal and financial information was disclosed, violating the confidentiality of protected data assets.
The components of data breach costs include: the unexpected and unplanned loss of customers following a data breach (churn rate); the size of the breach or the number of records lost or stolen; the time it takes to identify and contain a data breach; the detection and escalation of the data breach incident; post data breach costs, including the cost of notifying victims; and an attack by a malicious insider or criminal is costlier than system glitches and negligence (human factor) (Ponemon Institute, 2017).
The Ponemon Institute identified several notable points associated with the impact of data breach incidents, including: the more records lost, the higher the cost of the data breach; the faster the data breach can be identified and contained, the lower the costs; hackers and criminal insiders cause the most data breaches; incident response teams and extensive use of encryption reduce costs; and third-party involvement in a breach and extensive cloud migration at the time of the breach increases the cost.
Current thinking towards actions to reduce data breach hazards includes: having an incident response team; having extensive use of encryption; having employee training and their participation in threat sharing; developing processes for business continuity management; using cyber analytics; using systems for data loss prevention; and appointing professionals such as a Chief Privacy Officer Technology, Computer, Computer Security with Board level involvement for leadership in managing data breach reduction (Ponemon Institute, 2017).
The purchase of cyber and data breach insurance can help manage the financial consequences of the incident (Ponemon Institute, 2017).
In summary, cybersecurity is a collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organisation and user assets (ITU, 2019).
References
CoE, 1981. Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Strasbourg Convention). Council of Europe (CoE). European Treaty Series - No. 108. Accessed 20 November 2019.
ITU, 2008. ITU-T X.1205. Overview of cybersecurity. International Telecommunication Union (ITU). Accessed 21 November 2019.
ITU, 2019. Definition of cybersecurity. International Telecommunication Union (ITU). Accessed 21 November 2019.
ITU, 2020a. Global Cybersecurity Index. International Telecommunication Union (ITU). Accessed 5 October 2020.
ITU, 2020b. Study Group 17 at a glance. International Telecommunication Union (ITU). Accessed 5 October 2020.
Ponemon Institute, 2017. 2017 Cost of Data Breach Study: Global Overview. Accessed 5 October 2020.
United Nations, 2017. Sustainable Development Goals SDG17 - Half of all countries aware but lacking national plan on cybersecurity, UN agency reports. Accessed 5 October 2020.
Wang, P. and C. Johnson, 2018. Cybersecurity incident handling: a case study of the Equifax data breach. Issues in Information Systems, 19:150-159.