What Tech Leaders Need To Know About Data Breaches

On a near weekly basis, I read about breaches where much of the exfiltrated data was old data that the organization had no real reason to retain. See, e.g., https://lnkd.in/eaX53AWQ and https://lnkd.in/e4pVA6bT. According to IBM's 2023 Cost of a Data Breach Report, breaches cost organizations an average of $165 per record breached. Report at 2. That means that purging 100,000 records of unnecessary data could save you $16.5M in the event of a breach. Here are five tips: 1. PRACTICE DATA MINIMIZATION: Organizations should practice "data minimization." This means only collecting data that you have a good business reason for collecting and purging unneeded data when it is no longer needed. 2. ARCHIEVE DATA OFFLINE: In one recent example, the breached company apparently "ceased operations in December 2022 but, to comply with legal obligations, . . . maintained an archived copy of data previously stored on its computer systems." See https://lnkd.in/e4pVA6bT. To the extent you are only retaining old data is to satisfy regulatory requirements or just "in an abundance of caution," consider storing the data completely offline, so it is less likely to be breached. 3. CONDUCT A DATA MAPPING: These days it is common for data records to be duplicated in many places across an organization. Thus, consider conducting a regular "data mapping" to ensure that you know where all of your sensitive data is located, that you are adequately protecting it, and that you are purging it when appropriate. 4. IMPLEMENT A WRITTEN POLICY: Be sure to document your data retention and destruction policy in a written policy, and train your employees on the policy regularly. Remember to update the policy to reflect the changing realities in your organization. 5. OVERSEE THE DESTRUCTION OF DATA: Finally, when you destroy data, take reasonable steps to ensure that the data is actually being destroyed. One bank was recently fined $60M for failing to properly oversee a vendor responsible for purging personal data from digital devices. See https://lnkd.in/eutKzpU7.

Webb v. Injured Workers Pharmacy, LLC: A Turning Point for Privacy Tort Cases The outcomes of the Webb case could heighten businesses' risk of class action lawsuits after data security incidents and ignite more litigation, particularly in consumer data privacy claims. This decision is a guide for companies and their legal teams to minimize litigation risk in privacy and data breach cases. It has also changed the significance of privacy torts by reevaluating the concrete nature of certain intangible harms.  Appropriation * In Webb, the court ruled that alleged actual misuse of Webb's PII suffices to establish a concrete injury. The misuse aligns with the invasion of privacy based on appropriation of another's identity.  * The court found the Anderson case useful, where plaintiffs' mitigation costs due to a serious data breach constituted harm under Maine law.  Risk of Future Misuse * The court held that the complaint plausibly alleged a concrete injury due to the risk of future misuse of PII. The nature of the data breach and the lost time spent on protective measures contributed to this concrete harm.  Breach of Confidence and Invasion of Privacy * The court didn't decide if the exposure of plaintiffs' PII in the breach was an intangible harm sufficient to confer standing. This invites future plaintiffs to argue that certain data breach injuries are related to traditional intangible harms. Privacy & Data Security Lessons for Businesses Considering the First Circuit’s analysis, companies should reevaluate their privacy and data security practices and update their incident response plans. This includes the following measures: 1. Timely Notification: Companies must notify all affected customers effectively and in compliance with applicable deadlines. 2. Customer Support: Companies should adopt measures to ease customer anxiety over potential or actual misuse of sensitive personal data. 3. Dispute Resolution: Examining dispute resolution terms with customers could minimize the risk of class action litigation and mass arbitration. 4. Record-Keeping Process: A meticulous record-keeping process for communications with affected customers is vital for later litigation or arbitration. To prevent data security incidents and avoid potential litigation, companies can implement the following security controls: 1. Encryption: Encrypting sensitive data, both at rest and in transit, makes it unreadable to unauthorized individuals even if they gain access. 2. Multi-Factor Authentication: This additional layer of security requires users to provide two or more forms of identification before gaining access. 3. Regular Security Audits: Regular audits can help identify vulnerabilities and ensure that security measures remain effective as technology and potential threats evolve. #privacy #cybersecurity #law

When a $67B company with strong financials and global recognition becomes the target of a sophisticated cybersecurity breach, every business leader should take note. The recent incident involving Coinbase, external threat actors accessed sensitive internal data by bribing overseas contractors, underscores a reality that’s often underestimated: your weakest security link might not be a firewall, but a person. Despite having top-tier resources and monitoring systems, Coinbase still faced a ransom threat tied to employee vulnerability. The breach didn’t touch funds or passwords, but it did expose detailed personal and corporate data — the kind of information that can cascade into serious downstream risks. What can leadership teams take away from this? 1. Trust is not a substitute for training. Insider threats — whether coerced, bribed, or negligent — are real. 2. Third-party relationships demand constant scrutiny. Vetting vendors is not a one-and-done task. 3. Crisis response readiness should be a KPI. How quickly and transparently you respond can determine long-term reputational impact? Few action steps for leadership: - Conduct a fresh audit of third-party access points. - Review internal fraud-prevention protocols and training. - Simulate a breach scenario (TTX) and learn where your playbook needs sharpening. Security is no longer just an IT concern. It’s a boardroom conversation. #cybersecuritynews #cybersecurity #infosec #breach https://lnkd.in/dNvMC8wP