3 minute read

Hurricane Data Breach: Assessing Severity in the Eye of the Storm

Hurricane season is here. Preparedness can mean the difference between survival and disaster when a storm strikes. In the business world, preparedness is just as critical to survival when a data breach strikes.

Data breaches, like hurricanes, are unpredictable and with that unpredictability comes risk. You can’t board up every window in town, and you can’t protect every data element from all threats. And despite your advanced planning and preparation, the experience of an actual breach can be overwhelming and disconcerting. In the middle of it all, you may be asking questions such as:

  • How much damage could this data breach really cause?
  • How much will this data breach really cost?
  • Are breach victims getting the protection they really need?

Successful Data Breach Response: A Proven 12-Step Process

Measuring Data Breach Severity

While it’s impossible to plan for every contingency, it can be helpful to assess the level of risk that a data breach poses. Just as the wind intensity and storm surge can be used to forecast the level of damage from a hurricane, knowing the severity of a data breach can help you formulate a proper response.

Based on our experience, we’ve found that data breach severity can be categorized into one of three categories: Low, Medium, and High. Such an assessment includes certain factors, namely the characteristics of the data that was compromised, the cause of the breach, and the nature of the breached population.

Data Characteristics

Some types of data, such as social security numbers or health information, carry more risk than, say, credit card data. In addition, other factors come into play, and it’s important to ask the following questions:

  • What type of data was it? Names? Social Security numbers? Health records?
  • Was the data encrypted?
  • Where was the data? In-house? In the cloud? Third-party?
  • What format was the data? Electronic? Paper?
  • What regulations protect the data?
  • How easily can the data be recovered?
  • What types of risks does the exposure of this data pose? Financial? Reputational? Health?

Cause of the Breach

The sources of a breach are as varied as the breaches themselves. The Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data conducted by Ponemon Institute found that half of all data breaches were caused by criminal attacks, and the other half was due to other problems—unintentional employee actions, third-party snafus, and stolen computing devices. Measuring data breach severity by this factor alone is risky. On the surface, a ransomware attack is seen as posing a higher risk than a lost laptop, but deeper digging can reveal truer answers. Consider asking:

  • Was the incident malicious or non-malicious?
  • Was the breach caused internally or externally?
  • What is the root cause of the breach? Ongoing employee negligence? Poor user security? Outdated security patches?

Nature of the Breached Population

Some customers or patients are at greater risk for identity theft and other consequences of data breach than others, making this a critical factor to consider when assessing data breach severity. These questions can help:

  • What is the size of the breached population?
  • What are the demographics of the breached population? Are they employees? Customers? Patients?
  • Are there special-needs individuals, such as minors, elderly, the deceased, or non-English speaking?
  • What is the relationship between the organization and the breached population? A breach at a small employer will be handled differently than will a breach at a large health plan or financial services company.

A Word of Warning

Hurricane Data Breach can strike anytime, anywhere—no one is immune. In the aptly titled report, Planning for Failure: How to Survive a Breach, Forrester researches noted that “It’s not a question of if—but when—your organization will experience a serious security breach…. You can’t stop every cyberattack. However, your key stakeholders, clients, and other observers do expect you to take reasonable measures to prevent breaches in the first place, and when that fails, to respond quickly and appropriately.”

In upcoming blog posts, we’ll use scenarios to see how the three factors described here can be helpful in assessing the severity level of your next data breach—and what you can do to formulate a proper response.

In other words, help you be prepared for the storm.

Successful Data Breach Response: A Proven 12-Step Process

About IDX

We're your proven partner in digital privacy protection with our evolving suite of privacy and identity products.