Breaches

"It's not a matter of if....but when".   If you have never heard of that phrase then you should get familiar with it as it is a phrase that is hand in hand with the word "breach".

A breach, also known as a "data breach", can come in a variety of formats and doesn't necessarily have to mean a failure in the network, computer systems, data bases, or anything else digital or electronic.

For example, in the State of Arizona, there were some boxes full of papers discovered in an alley that contained hundreds of records relating to child protective services.  This wasn't a data breach from the standpoint of digital or electronic but was still a data breach as data that was supposed to be protected and confidential was left for anyone to find in an alley.

You can also have a data breach through a simple accident with user permissions.  There have been cases where a person emailed another person with a link to sensitive data however emailed the wrong individual.  If the wrong individual accessed the data then we have another data breach.  

Another perfect, and common example, is when someone clicks the phishing link and either has an issue of ransomware or possibly a backdoor into a protected environment.  This could lead to a data breach and some serious issues for the company and the individual.  However, assuming ransomware, if data is encrypted and ransomed then that doesn't mean there is a data breach.  For a data breach to happen data must be accessed by persons that should not have access to it.  This means that a data breach could happen internally or externally to a company and could happen with persons that don't work for the company as well as persons that do work for the company.

A prime example of this would be the situation involving Britney Spears, where hospital workers were curious about her medical records and felt the need to satisfy their curiosity.  This was a data breach (very small one) and also a crime.

Should have feel like you have a breach situation, you should also understand a few things to protect yourself and your company
1. What type of data was breached?  Some data have breach requirements based on federal law based on the type of data.
2. What are the state laws for data breaches?  Some states require breach notification for as little as 100 records while other states require a higher number.  As a person working for the company you will need to understand this as you may "legally" not be required to notify anyone of a breach and, alternatively, you may be violating the law if you don't.
3. If there is a breach, and you must report it, how will you report the breach?  Again, some laws require a specific method of reporting or notifying affected individuals (Data Subject Owners if we are referencing GDPR).
4. Do you have cyberinsurance?  You should if you don't as the average cost of a data breach is around $200 per record stolen.

To visualize the impact of data breaches, check out this link which details data breaches across the globe.