5.5 Explain Privacy and Sensitive data Concepts In relation to security Flashcards
Organizational Consequences of Privacy Breaches
If a company suffers a data breach, there can be several repercussions. Let’s look at some of them, starting with reputation damage
Reputation Damage
When a company suffers a data breach and it is known to the public, it can cause their brand to become tainted as they lose the respect of the public. This could reduce sales.
Identity Theft
If any data held on a customer is stolen and then used for identity theft, the company will be sued for damages.
Fines
Data breaches could result in regulatory fines. An example would be the EU GDPR, where the maximum fine is 20 million euros or 4% of the company’s annual global turnover, whichever is greater.
Intelllectual Property(IP)Theft
IP theft could result in copyrighted material, trade secrets, and patents being stolen by competitors, resulting in a loss of revenue. This data could be used in countries where a legal route to recover your data would be impossible. Exam TipIf a company suffers a data breach and that data is used for identity theft, the company could be sued by the individual affected.
Notifications of Breaches
There are national laws and regulations that are laid down on how data breaches should be reported and who they should be reported to. A data breach is normally where data has been stolen or there has been an accidental breach; this means that the policies currently in place are not effective. If someone accesses a file or database server, we need to find the account used so that we can remove it to prevent further breaches. Let’s now look at the action we need to take once a breach has been discovered, starting with escalation:
Escalation
Any data breach, no matter how small, should be reported immediately to the CEO as the company may face legal action later on. A company may face a fine if they have not been compliant with regulations.
Public Notifications and Disclosures
We may have to contact the police, the regulator, customers, and any individuals affected by the breach. EU GDPR law allows a company 72 hours to notify those concerned. If you are in the UK, you must comply with the Data Protection Act 1988, which is statute law, and in the USA, if it is medical data, you must comply with HIPAA.
Data Types
There are various types of data and we need to have an appreciation of each type and its characteristics; let’s start with different data classifications.
Classification
The first stage of risk management is the classification of the asset, which determines how we handle, access, store, and destroy data. We are now going to look at the different classifications of data so that we know how to handle the data. Let’s start by looking at public data:
Public Data
This is data that is available to anyone, such as yesterday’s news, leaflets, or brochures that have been distributed everywhere. Anyone has access to this data.
Private Data
Private data is data that an individual does not want to disclose; it could also be classified as sensitive data.
Sensitive Data:
This is data that is personal to an individual, such as sexual orientation-, politics-, religion-, race-, or health-related data: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/legal-grounds-processing-data/sensitive-data/what-personal-data-considered-sensitive_en.
Confidential Data
Research and Development (R&D) and legal data will be classified as confidential data; disclosure would cause damage to the company. This could also be called classified data.
Critical Data
This is data that a company does not want to disclose; it could also be classified and encrypted to prevent someone from reading it.