By Mike Farrell
October 21, 2020â˘6 min read
Data breaches are dreaded, and for good reason. They harm multiple parties at once, impacting not only the business thatâs been compromised, but also the supply chain of vendors and online services, and possibly millions of customers.
According to IBMâs Cost of a Data Breach Report 2020, a data breach can cost an organization an average of $3.86 million US per incident. The likelihood of an organization experiencing a costly data breachâacross all industries and all business sizesâwithin two years was 29.6 percent in 2019, up from 22.6 percent in 2014, IBMâs study also finds.
And theyâre far too frequent. According to the Identity Theft Resource Center, American organizations of all sizes faced 1,300 large and catastrophic data breaches in 2017, a shocking increase from about 200 in 2005.
Data breaches also hurt your brand, and they embed in your customerâs psyche a tardiness when it comes to the technical governance of their data.
But whatâs the connection to data privacy, outside the obvious exposure of private data? Put simply, optimizing your data privacy strategy can improve the overall governance of your data.
In this post, weâll explain how.
Regulations like the GDPR in Europe and the CCPA in California are clear when it comes to organizations needing to take appropriate security measures to prevent and to report a data breach theyâve discovered. Depending on which regulations pertain to a company and its data, an organization can be fined for insufficient security measures. Although what constitutes a strong âsecurity measureâ isnât well defined in privacy laws, things like not having controlled data access privileges or failing to do appropriate red team operational exercises likely apply.
And the maximum penalty carries a hefty sticker shockâunder GDPR, the maximum penalty for breach is 2% of global revenue or $10M Euro (whichever is higher). And for data rights violations, that maximum penalty is doubled.
You also need to prove youâre already compliant with existing laws, and the cost of doing so during or after an incident is higher than if youâd taken proactive steps before a breach hits.
But with or without regulations, organizations can also be subject to expensive litigation, and they may also incur reputational damage in the eyes of consumers who may want to take their business elsewhere if they donât trust the company.
Outside the regulatory and legal penalties, data breaches can have a long term impact on brand trust and user acquisition, if not handled effectively. A study from IT security firm Centrify found that 31% of consumers surveyed say they discontinued their relationship with the company that had a data breach.
Having incident response plans for data breaches is crucial. But those plans wonât be effective if you donât know where all of your data is stored.
One of the problems that all organizations have with securing their sensitive data is that it can be stored in a number of different places, and the proliferation of SaaS (Software-as-a-service) data processors can increase the rate at which user data appears in various places (Note: this proliferation of user data in different systems is sometimes referred to as âdata decentralizationâ).
And while the rise of SaaS is a good thing for the effectiveness of most businesses, it does mean increased risk of losing data to well-intentioned yet troublesome shadow IT systems. It sounds painfully obvious, but how can you prevent a breach if you donât truly know where your data is stored, or where itâs going?
Exactly how big is this proliferation challenge? According to recent research, mid-size companies now use an average of 288 different SaaS applications, from payment processing providers, customer support ticketing systems, ecommerce platforms, and so onâa 42% increase from the previous year.
And while each of these new SaaS vendors can be crucial for giving your engineering team leverage to focus on core products, each also has the potential to be one more exposure risk.
I talk to many technical leaders who often plan to start with a data map exercise in order to get a better handle on their disparate data stores for breach protection and data privacy visibility and management.
Data mapping can be useful in many situations, and provides a rough roadmap when defining where personal data is located, and defining what deterministic queries might be required to action against that data.
But most engineering leaders know that creating a data map is more often than not a massive, resource intensive project which requires constant work and doesnât result in a meaningful product that can be shipped to improve the business.
There are a number of smart technical mapping solutions that are a big help (and are definitely recommended over low-tech consulting options), but even the best of technical approaches still require some non-technical labor to routinely update the data maps and correct errors.
Knowing where your personal data exists is one thing. But how do you actually manage that data? What happens when a frustrated customer requests access to the data you hold on them? Or even more challenging, requests deletion?
Youâre back at square one, facing another project to prioritize, another team to take off core work, and another systems analysis and risk analysis to complete.
Thatâs where not just mapping, but connecting the dots with data privacy infrastructure comes into play. It takes this exercise a step further, and gets you closer to a frictionless, automated, and less human-dependent solution.
Thatâs part of the opportunity we realized in engineering Transcendâs data privacy infrastructure. Not only can clients like Robinhood, Indiegogo, Masterclass, and Patreon see where customer and user data lies, but theyâre delivering immediate consumer value through CCPA compliance, while also granting comprehensive (and fast) data rights to their users too.
In each of these cases, we worked with their teams to not identify where personal data is stored, but establish connections to each of these systems (both internally-built and off-the-shelf SaaS) to automate the privacy request fulfillment process, through the use of fast, deterministic queries.
By automating connections to their SaaS data processors, theyâre quite literally âactingâ on their data map in real time, ensuring not only visibility but privacy request compliance.
By using end-to-end encryption and deterministic queries, this system ensures a level of accuracy and confidentiality not possible in a manual workflow.
Essentially, theyâve turned their personal data mapping exercise into a future-proof personal data fulfillment engine as part of a wider and more secure data governance program, bringing not only regulatory compliance, but consumer brand wins.
And theyâve implemented safeguards against a data breach. They know where their data is stored, theyâve reduced the number of humans in the loop when fulfilling privacy requests, and theyâre responding securely and accurately to requests thanks to deterministic queries, ensuring the right data gets to the only person itâs meant to get to.
Beyond evolving your approach to data mapping to secure the fort, here are some additional tips I recommend if youâre struggling with the enormity of data governance and security projects or feel like you are on a never-ending data mapping ferris wheel:
Thereâs an added benefit to demonstrating clear and user-centric data governance, and providing your users with control over their data, when it comes to mitigating against data breaches. Weâre already seeing the signals that granting transparency can build goodwill with your users, a valuable insurance policy if the worst occurs.
In a survey of over 1,000 Americans, we found that 60% of Americans believe that companies that can provide users with instant access to control personal data are seen to care about their customers.
Additionally, 62% of Americans also rate companies that provide instant access to a userâs data as trustworthy, 58% say transparent, and 55% deem them to be helpful.
As youâre more than likely aware of from past experience or through lessons learned by colleagues, when that dreaded alert arrives, itâs an all hands on deck effort to quickly triage, respond to, and remediate when a data leak is detected.
But by practicing good data governance, and recalibrating to immediate consumer value in your customer and user data management through smart automation, you can proactively chip away at the worst case scenario, and put your data privacy program in the best position at the same time.
If youâd like to learn about how Transcend can give your users a modern data privacy experience, contact our team here.
By Mike Farrell