Data breaches are dreaded, and for good reason. They harm multiple parties at once, impacting not only the business that’s been compromised, but also the supply chain of vendors and online services, and possibly millions of customers.
According to IBM’s Cost of a Data Breach Report 2020, a data breach can cost an organization an average of $3.86 million US per incident. The likelihood of an organization experiencing a costly data breach—across all industries and all business sizes—within two years was 29.6 percent in 2019, up from 22.6 percent in 2014, IBM’s study also finds.
And they’re far too frequent. According to the Identity Theft Resource Center, American organizations of all sizes faced 1,300 large and catastrophic data breaches in 2017, a shocking increase from about 200 in 2005.
Data breaches also hurt your brand, and they embed in your customer’s psyche a tardiness when it comes to the technical governance of their data.
But what’s the connection to data privacy, outside the obvious exposure of private data? Put simply, optimizing your data privacy strategy can improve the overall governance of your data.
In this post, we’ll explain how.
The immediate costs of a breach
Regulations like the GDPR in Europe and the CCPA in California are clear when it comes to organizations needing to take appropriate security measures to prevent and to report a data breach they’ve discovered. Depending on which regulations pertain to a company and its data, an organization can be fined for insufficient security measures. Although what constitutes a strong ‘security measure’ isn’t well defined in privacy laws, things like not having controlled data access privileges or failing to do appropriate red team operational exercises likely apply.
And the maximum penalty carries a hefty sticker shock—under GDPR, the maximum penalty for breach is 2% of global revenue or $10M Euro (whichever is higher). And for data rights violations, that maximum penalty is doubled.
You also need to prove you’re already compliant with existing laws, and the cost of doing so during or after an incident is higher than if you’d taken proactive steps before a breach hits.
But with or without regulations, organizations can also be subject to expensive litigation, and they may also incur reputational damage in the eyes of consumers who may want to take their business elsewhere if they don’t trust the company.
Outside the regulatory and legal penalties, data breaches can have a long term impact on brand trust and user acquisition, if not handled effectively. A study from IT security firm Centrify found that 31% of consumers surveyed say they discontinued their relationship with the company that had a data breach.
The growing challenge of personal data getting lost in the cracks
Having incident response plans for data breaches is crucial. But those plans won’t be effective if you don’t know where all of your data is stored.
One of the problems that all organizations have with securing their sensitive data is that it can be stored in a number of different places, and the proliferation of SaaS (Software-as-a-service) data processors can increase the rate at which user data appears in various places (Note: this proliferation of user data in different systems is sometimes referred to as ‘data decentralization’).
And while the rise of SaaS is a good thing for the effectiveness of most businesses, it does mean increased risk of losing data to well-intentioned yet troublesome shadow IT systems. It sounds painfully obvious, but how can you prevent a breach if you don’t truly know where your data is stored, or where it’s going?
Exactly how big is this proliferation challenge? According to recent research, mid-size companies now use an average of 288 different SaaS applications, from payment processing providers, customer support ticketing systems, ecommerce platforms, and so on—a 42% increase from the previous year.
And while each of these new SaaS vendors can be crucial for giving your engineering team leverage to focus on core products, each also has the potential to be one more exposure risk.
The starting point: data mapping
I talk to many technical leaders who often plan to start with a data map exercise in order to get a better handle on their disparate data stores for breach protection and data privacy visibility and management.
Data mapping can be useful in many situations, and provides a rough roadmap when defining where personal data is located, and defining what deterministic queries might be required to action against that data.
But most engineering leaders know that creating a data map is more often than not a massive, resource intensive project which requires constant work and doesn’t result in a meaningful product that can be shipped to improve the business.
There are a number of smart technical mapping solutions that are a big help (and are definitely recommended over low-tech consulting options), but even the best of technical approaches still require some non-technical labor to routinely update the data maps and correct errors.
Going further with a one-two punch on data privacy
Knowing where your personal data exists is one thing. But how do you actually manage that data? What happens when a frustrated customer requests access to the data you hold on them? Or even more challenging, requests deletion?
You’re back at square one, facing another project to prioritize, another team to take off core work, and another systems analysis and risk analysis to complete.
That’s where not just mapping, but connecting the dots with data privacy infrastructure comes into play. It takes this exercise a step further, and gets you closer to a frictionless, automated, and less human-dependent solution.
That’s part of the opportunity we realized in engineering Transcend’s data privacy infrastructure. Not only can clients like Robinhood, Indiegogo, Masterclass, and Patreon see where customer and user data lies, but they’re delivering immediate consumer value through CCPA compliance, while also granting comprehensive (and fast) data rights to their users too.
In each of these cases, we worked with their teams to not identify where personal data is stored, but establish connections to each of these systems (both internally-built and off-the-shelf SaaS) to automate the privacy request fulfillment process, through the use of fast, deterministic queries.
By automating connections to their SaaS data processors, they’re quite literally ‘acting’ on their data map in real time, ensuring not only visibility but privacy request compliance.
By using end-to-end encryption and deterministic queries, this system ensures a level of accuracy and confidentiality not possible in a manual workflow.
Essentially, they’ve turned their personal data mapping exercise into a future-proof personal data fulfillment engine as part of a wider and more secure data governance program, bringing not only regulatory compliance, but consumer brand wins.
And they’ve implemented safeguards against a data breach. They know where their data is stored, they’ve reduced the number of humans in the loop when fulfilling privacy requests, and they’re responding securely and accurately to requests thanks to deterministic queries, ensuring the right data gets to the only person it’s meant to get to.
Additional principles for good data stewardship
Beyond evolving your approach to data mapping to secure the fort, here are some additional tips I recommend if you’re struggling with the enormity of data governance and security projects or feel like you are on a never-ending data mapping ferris wheel:
Find the right partner: This is something we covered in a recent post, but consider working with an engineering partner to improve your privacy experience and help you connect your disparate data stores and gain more control over your data flows - it also allows you to ship a business growth-oriented user experience while ensuring full access and erasure compliance (versus partial delivery thanks to non-integrated or out-of-sight data processors). And a tip: Set high bars for your data privacy partners—you should always interrogate for signs of robust and class-leading security practices, including things like E2EE and trustless-by-design systems.
Agree on shared privacy principles: With your cross-functional privacy team, create an internal data privacy sketch that outlines your values and guardrails for data governance. This plan should be brief and precise, crystallizing shared principles down to a level that any team—from product, dev, growth, and legal—can work from.
Prioritize the quick wins first: Any step is a good step to take to safeguard the personal data your company holds. A useful starting point is separating out structured and unstructured data, the former of which is far easier to prioritize and act on from a data governance perspective.
Minimize the data you’re collecting: The EU’s GDPR stipulates that all businesses that hold personal data on an EU citizen limit the collection of personal data to a required minimum, but any business would do well to have a similar data minimization approach, to reduce the risks of being overburdened with unused data laying around, potentially waiting to be included in a breach.
Good governance is good for the brand, too
There’s an added benefit to demonstrating clear and user-centric data governance, and providing your users with control over their data, when it comes to mitigating against data breaches. We’re already seeing the signals that granting transparency can build goodwill with your users, a valuable insurance policy if the worst occurs.
In a survey of over 1,000 Americans, we found that 60% of Americans believe that companies that can provide users with instant access to control personal data are seen to care about their customers.
Additionally, 62% of Americans also rate companies that provide instant access to a user’s data as trustworthy, 58% say transparent, and 55% deem them to be helpful.
As you’re more than likely aware of from past experience or through lessons learned by colleagues, when that dreaded alert arrives, it’s an all hands on deck effort to quickly triage, respond to, and remediate when a data leak is detected.
But by practicing good data governance, and recalibrating to immediate consumer value in your customer and user data management through smart automation, you can proactively chip away at the worst case scenario, and put your data privacy program in the best position at the same time.