Before I started covering cybersecurity, I thought the term ‘breach’ had a single meaning — that an attacker stole data from a computer system. I also thought all the different versions of the word meant the same thing.

However, I’ve since learned the nuances and differences between a breach, a data breach and a data privacy breach. The difference is important. Classifying a breach poorly can result in unknowingly breaking a law or not complying with regulations.

Privacy regulations, such as the General Data Protection Regulation (GDPR) or state-specific laws, specify how an organization must respond to a privacy breach. Not complying correctly can mean fines and more negative publicity. According to Gartner, the personal data of 65% of the world’s population will be protected by modern privacy regulations by 2023, which is a major increase from 10% in 2020.

Breach, Data Breach or Data Privacy Breach?

Compliance with data privacy regulations hinges on correctly understanding the terms.

The general term ‘breach’ or security breach means that someone who is not authorized to access a computer system has done so. However, it only refers to the act of accessing systems, not really stealing data.

In a data breach, information has been accessed — and likely stolen — from the systems that were breached.

In a data privacy breach, the personal information that was accessed is Personally Identifiable Information (PII). Department of Homeland Security defines PII as any information that permits the identity of a person to be directly or indirectly inferred. That includes any information that is linked or linkable to that person. Examples include sensitive financial and personal information. It might be social security information, bank account numbers, personal health data or credit card information.

Companies that face a data privacy breach must follow all relevant privacy rules that protect each person’s information that was stolen. For example, if a single customer resides in the European Union, the company must follow the reporting protocol outlined by the GDPR. Many companies offer identity theft protection, a free credit report and credit monitoring to consumers who faced a data privacy breach.

Just to be a little more confusing, the media and consumers often use the term data breach to refer to both data privacy breaches and general data breaches. However, from a privacy regulation perspective, the distinction matters. If an attacker accesses proprietary company data, such as information on an upcoming product, that’s a data breach. On the other hand, if they steal employee social security numbers, the incident is a data privacy breach.

Read the Report

Breaches Involve Lengthy Recovery and Costly Fines

One of the biggest keys to reducing the damage after a data privacy breach is the speed of response. To respond to data subject access requests (DSARs), many organizations use automation such as a SOAR solution. With this tech, companies improve teamwork and speed up their response through automation. Most importantly, these platforms ensure repeatable and consistent processes. These are often a challenge during times of high stress after a breach.

Many organizations assume that after they follow their response protocols the worst of the breach’s effects are behind them. But the SEC may still find the victim at fault and levy hefty fines. First American Financial Corporation was fined $487,616 related to a vulnerability that exposed sensitive customer information. The impact was even greater for Pearson plc, a London-based publishing company that agreed to pay $1 million to settle charges that it misled investors about a 2018 cyber intrusion. The data privacy breach involved millions of student records. It included dates of birth and email addresses. The organization did not have adequate disclosure controls and processes in place.

In addition to fines, the non-business impact of a breach can be significant. The IBM 2022 Cost of a Data Breach reports that lost business costs average $1.42 million in customer churn, downtime and new business acquisition costs. Other costs include detection and escalation ($1.44 million), post-breach response ($1.14 million) and notification costs ($270,000).

Preventing Privacy Breaches

Organizations need strong privacy policies, processes and tools to manage data privacy and reduce vulnerabilities. By correctly identifying and using specific rules for handling sensitive data, you can manage data better. This is especially important for those using hybrid cloud environments since they must ensure that each environment meets standards.

In some cases, separate teams handle privacy and security. Cybersecurity workers focus on protecting the data. The privacy team works on data policies, such as collection, storage and removal. However, security and privacy, in terms of both practice and regulations, intertwine. By making sure the two work together, organizations can both reduce their risk of breach and improve their response if a privacy breach occurs.

The IBM 2021 Cost of a Data Breach named zero trust one of the most effective ways to reduce the cost of a breach. Companies with mature zero trust processes reported breaches costing $1.76 million less per breach than those without zero trust. The principles and strategies of a zero trust framework reduce both the vulnerability to and the impact of a breach. For example, multi-factor authentication reduces the likelihood of unauthorized access and Identify & Access Management (IAM) reduces that access to an insider attack. In addition, microsegmentation limits the damage of a breach because attackers can access only a very small portion of the network and data.

Many experts say it’s not a matter of if an organization will face a data privacy breach, but when it will happen. Reducing vulnerabilities is the first step to data privacy breach preparation. Be prepared for how to respond to a breach. That way, you can limit and reduce both the cost and reputational damage.

More from Data Protection

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Resilient Companies Have a Disaster Recovery Plan

Historically, disaster recovery (DR) planning focused on protection against unlikely events such as fires, floods and natural disasters. Some companies mistakenly view DR as an insurance policy for which the likelihood of a claim is low. With the current financial and economic pressures, cutting or underfunding DR planning is a tempting prospect for many organizations. That impulse could be costly. Unfortunately, many companies have adopted newer technology delivery models without DR in mind, such as Cloud Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS)…

Millions Lost in Minutes — Mitigating Public-Facing Attacks

In recent years, many high-profile companies have suffered destructive cybersecurity breaches. These public-facing assaults cost organizations millions of dollars in minutes, from stock prices to media partnerships. Fast Company, Rockstar, Uber, Apple and more have all been victims of these costly and embarrassing attacks. The total average cost of a data breach has increased by 2.6% since 2021 and is now $4.35 million. Organizations that don't deploy zero trust security models also incur an average of $1 million more in…

How the Mac OS X Trojan Flashback Changed Cybersecurity

Not so long ago, the Mac was thought to be impervious to viruses. In fact, Apple once stated on its website that "it doesn't get PC viruses". But that was before the Mac OS X Trojan Flashback malware appeared in 2012. Since then, Mac and iPhone security issues have changed dramatically — and so has the security of the entire world. In this post, we'll revisit how the Flashback incident unfolded and how it changed the security landscape forever. What…