Here in Ireland over 80% of businesses have experienced a data breach in 2014. That's a lot by any standard, although the vast majority of these breaches are relatively small-scale.
Nonetheless, the initial realisation that data has gone missing can cause the coolest character to experience that sinking feeling in the stomach, and the next steps that are taken are often vital.
Traditionally, whether in the US or in Europe, the media tells tales of woe, where large corporations fall victim to the latest, and often not the most technical, hack. Millions of records are lost and countless numbers of innocent victims find their personal data in the hands of malcontents and criminals. Unfortunately, this is an all to common occurrence.
At another time, I intend to write about a common theme I have seen across many of these large-scale hacks, where there is a clear psychological and linguistic path that is trodden by most of them, but that is for another day.
What I want to talk about today is the data breach for the little guys. The smaller mom-and-pop shops and SME businesses, where oftentimes the media will never hear of these breaches. And as can be seen from Irish research (and believe you me, we are not an exception), this is an all too common event.
The average data breach, according to research done by the Ponemon Institute, is approx 10,000 records. I would, personally, argue that it is smaller, maybe in the low thousands, but the frequency with which it occurs is phenomenal. Frankly put, businesses are often atrocious at controlling the use of personal data by staff and third parties.
When a small-scale breach occurs, there is plenty of legislative basis in the US and Europe to report the breach, to relevant authorities, and to validate what remedial actions are underway. interestingly, state law in the US has really upped the ante on mandatory breach notification. I would personally argue that the US is well ahead of Europe on this matter.
Setting aside the legislative obligations, what has not really been researched to any extent is the impact a data breach has on the well-being of staff. The vast majority of people are moral, regardless of religious or humanistic beliefs. They want to do the right thing for their customers, and the notional concept of losing data is abhorrent to them.
Now, there are exceptions, and I certainly would argue that public sector services in the US and Europe can be particularly lackadaisical about controls and processing restrictions on personal data, but the general theme of not wanting to lose the data, is certainly true.
Recently, I did a Data Protection Assessment for a financial services organisation, who had the misfortune of a data breach that made national headlines for nearly a week! It was the first time I had actually been involved in an assessment with them. What struck me was the impact that the event had on staff. Firstly there had been a significant overhaul in how data was processed within the organisation, be that paper as well as digital records. In fact, the degree of change was so astounding, my impressions were that they were extremely compliant.
However, what really struck me was the psychological impact. More than one member of staff, whom I interviewed, had experienced significant stress and emotional toil from the experience. The degree of intrusion by the media, and investigation by regulatory authorities and third-party consultants, was such that staff felt deeply ashamed of the event and horrified at the impact on innocent people.
I don't want to overstate the impact, but I was very struck by the legacy and mental scars left behind.
There is no doubt that a data breach is an event none of us want to experience, in particular where that event is likely to be significant enough to make local or national headlines. As a manager, or a director of a company, make sure to be mindful of this impact, for your staff, and put in place appropriate actions and safeguards to protect them, if or when such an event occurs.