Successfully Responding to Data Breaches

A recent Forester Research study revealed that 25% of IT security decision makers and influencers reported at least one data breach over the past 12 months. This shows just how much of a reality data breaches are. Unfortunately, it is all too common for organizations to rest easy, thinking that it’s implemented all the appropriate security features to prevent a data breach. The statistics show that planning for the inevitable and knowing that each and every breach is different is absolutely crucial for data protection. This article takes a closer look at the issues involved in responding to data breaches of all kinds.

Perception is Reality

When data breaches occur, it’s important to remember that perception is reality. Successful breach responses take into consideration the framework within which organizations operate. There are various types of breaches, and differing levels of harm perceived with each of them. Successful organizations are able to respond proportionately to the level of harm involved.

Typically, once a data breach is discovered, organizations focus on pre-response activity. This involves understanding what happened, and how it happened. Pre-response activity involves legal and forensic teams where necessary. While such activity may take hours or even months, it’s crucial to note that it must culminate in a Decision to Notify.

Current US breach notification laws require organizations to notify consumers of a data breach within 5 to 60 days. Within this time frame, organizations must begin mailing notifications to affected consumers. This notification normally triggers phone calls, so the organization must also set up a call center to receive the calls and respond to the questions and inquiries the customers are certain to have.

According to an AllClear ID report on data breaches, almost 20% of notice letter recipients will call the organization. These calls usually last anywhere from 5 to 20 minutes, so organizations must be prepared to serve customers with multiple channels of communication. Even if an 800-phone number is included in the notification letter, some customers will also choose to use email or social media channels. Ensure that physical and digital locations are aware of what to expect and where to relay information.

Reducing the Cost of a Breach

Responding with concern to customer inquiries can save organizations millions in third-party legal fees, liabilities and lost business. In fact, lost business often ends up being the greatest cost of a data breach. According to a 2010 US Cost of a Data Breach study conducted by the Ponemon Institute, the typical breach costs $214 per record in both fixed costs and lost business.

Another recent Ponemon study showed a 21% average diminished value for brands after a breach, and an average of one year to restore an organization’s reputation. A poorly executed breach response on top of an already worrisome customer event only serves to increase damages.

While there are a number of remediation approaches, one of the most common is to enroll customers in an identity theft protection product, which includes both credit monitoring and fraud assistance. It’s also important to limit third-party liability exposure and act in the best interests of the affected individuals, given that regulations are becoming increasingly stringent in terms of consumer privacy protection.

Types of Breaches

Being aware of the different types of identity theft can help an organization assess the risk of harm involved in a data breach and respond appropriately. There are four main categories of identity theft, each with a different level of harm.

  1. Financial identity theft
  2. Employment identity theft
  3. Medical identity theft
  4. Criminal identity theft

Financial Identity Theft

This is the most common type of identity theft that arises from a data breach. Experts have identified two different risk factors:

  • Existing account takeovers – These involve fraudulent transactions with compromised account numbers.
  • New account fraud – This involves compromised personally identifiable information (PII), which is used to obtain new credit, utility and/or service accounts. Since all that is needed to apply for and obtain a new account is a Social Security number and date of birth, this represents a particularly high risk.

Employment Identity Theft

This form of identity theft is increasing, in part because many organizations maintain a vast amount of sensitive information about their employees, particularly their Social Security numbers (SSNs). As mentioned earlier, SSNs are often all that is necessary to open a new credit account. Child identity theft also presents a large risk, as it can often go undiscovered for many years, until the child turns 18 and starts to create his/her own financial identity. Although employment identity theft isn’t the most common type of theft that results from a data breach, it represents one of the most difficult to restore, given the long-term nature of the fraud and its delayed discovery.

Medical Identity Theft

Medical identity theft is closely related to traditional financial identity theft. This happens when someone illegally obtains personal medical or health insurance information and uses it to get medical treatment, prescription drugs or other health care services. This form of identity theft is difficult to prevent, as there is no central repository for health care data to function as a clearinghouse (unlike credit bureaus created for financial data).

Medical identity theft frequently comes with financial consequences, since it results in unpaid bills from hospitals and doctors, or unpaid claims from health insurance companies. This identity theft will inevitably create problems for an individual’s medical and health insurance records, which will have a real and lasting impact on the victim’s health care treatment.

Criminal Identity Theft

Criminal identity theft is the least common of the four types of identity theft. However, it is the most difficult to restore, due to the nature of the third parties needed to prove innocence. Criminal identity theft happens when a consumer is held liable for criminal activities he/she did not commit. This type of identity theft is often discovered when a victim is pulled over for a traffic violation and subsequently arrested due to an outstanding warrant. This might have happened because a criminal was arrested and presented a stolen or lost driver’s license, passport or other form of identification. Often, companies that collect or maintain physical or digital copies of personal identification are exposed to this type of data breach.


Organizations that suffer a data breach must respond appropriately, or they will risk increased losses, both in financial terms and diminished brand perception. Each type of data breach has an associated level of harm, so it’s important that decision makers within the organization know how to evaluate and respond to the various breaches. The article looks at the four main categories of identity theft which may arise when a breach occurs: 1) financial identity theft; 2) employment identity theft; 3) medical identity theft; and 4) criminal identity theft.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:

  • Data security (I.D.)
  • Privacy expectations – consumer perspective, organizational practices (II.A.a.; II.A.b.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>