Another week has gone by, and with it another news cycle filled with examples of recent data breaches, hacking attacks, and regulatory enforcements. Does it feel like our work as privacy professionals is enjoying a little too much of the limelight these days?
You aren’t alone. Data breaches – and the required notification to affected individuals – are becoming much more common. In September, nearly 1.5M people had their data exposed in healthcare breaches as reported to the HHS Office for Civil Rights. That is more than double the figure reported in August. Another recent study cites a 54% increase in data breaches reported for 2019 vs the same time period in 2018. And while we know that the majority of incidents are attributed to human error in unauthorized data disclosure, the threat of outside attacks remains top of mind for any privacy professional.
In fact, the threat of data breaches and hacking events are so commonplace that the ethics and strategies for journalists reporting on breaches is something beat writers are actively considering - take a look at this recent article from one of the writers of the Vice column, “Another Day, Another Hack.” Underscoring how routine it is to see major data breaches reported in the news, the article has the following tips:
- For confirming a hack has taken place: “The easiest method is to contact the company or service that was allegedly broken into and ask them to confirm. More often than not, they won’t.”
- For confirming the data being sold by nefarious actors is real: “If data from the alleged breach contains both usernames or email addresses and passwords, you might be tempted to test them and log in with them. Do not do this. This is both a crime and an invasion of privacy.”
- For choosing your language and story angle: “There’s a fine line between giving your readers advice and scaring them. Don’t alarm people with unsubstantiated claims or exaggerated risks.”
In other terrifying news: are data breaches and ransomware linked to an increase in fatal heart attacks? This sobering account of a recent study details how, following a ransomware or hacking attack, it’s common to implement increased security measures such as stronger passwords, enforcing password use and two-factor authentication. However, also according to this study, these measures may be slowing down doctors, nurses, and other healthcare practitioners in their work. One figure cited: the time it took for a patient to receive an electrocardiogram increased by as much as 2.7 minutes after a data breach. Another stat from the study: after data breaches, as many as 36 additional deaths per 10,000 heart attacks occurred annually at the hundreds of hospitals included in the study.
Here’s where the writer in me wants to take the suggestion from the previously linked article and leave you with some friendly advice. It’s not all doom and gloom. There are proactive approaches a seasoned privacy professional can take to mitigate risk, reduce the threat perimeter to their company, and remain ahead of changing data breach regulations. Here are three resources to start with:
- Breach Law Radar: a free library of hundreds of global privacy laws, rules, and regulations to stay current on existing and proposed legislation.
- Review this month’s on-demand webinar recording, Incident and Breach: How to Build a Proactive Response Plan
- Read the recent blog post from my colleague Brian, Built to Win: 5 Steps of a Proactive Incident Response Plan that Works