Privacy and Data Breaches – SY0-601 CompTIA Security+ : 5.5

Data privacy is a significant concern for organizations. In this video, you’ll learn about the information life cycle, breach consequences, notification requirements, and more.

If you’re going to protect data, it’s important to understand the entire lifecycle of information. We start with the creation and the receipt of this data, could be data that we create inside of our own organization or we might receive this data from a third party. Once we have this data, it needs to be processed. Commonly, we would sort this information and store it into the appropriate areas. At this point, the data is ready to use. We would implement this in the applications we use as a normal part of our business, or we may create products and services based on this data. With many data sources, there’s ongoing maintenance, so we will constantly be retrieving this data and transferring this data to other locations. And once we’re done with this data, we need to archive it or find a secure way to dispose of the data.

During every step of this life cycle, there is the potential for a data breach. One consequence of a data breach would be damage to one’s reputation. If your organization isn’t trusted to store data, then it could have a negative impact on how others might view you. This also could have an impact on the products and services that you sell, since people no longer have the same amount of trust in your organization. And if you’re a public company, this can also affect the stock price. We might also be concerned that this data may be used for identity theft, and taking advantage of other people’s private information.

If the data gets into the hands of a third party, then it’s our responsibility to have a public disclosure so that everybody understands what’s happened to this data. This is also going to cost the organization money. Many of these public disclosure laws require that the organization include credit monitoring, so that everyone who’s affected by this data breach can keep an eye on what’s happening with their data. There might also be fines or lawsuits associated with the data breach. In 2016 the company Uber had a data breach and did not disclose it. Instead, Uber contacted the hackers that originally stole the data and paid them $100,000 to not say anything. There was a lawsuit on this, and the settlement from Uber was $148 million. There were also fines associated with the 2017 data breach from Equifax, when the US government fined them over $700 million. And many organizations have data that they’ve created themselves in the form of intellectual property, or IP. If someone does gain access to these company secrets, they may be able to use it for their own purposes and effectively put you out of business.

In many cases, the discovery of these data breaches occurs on the inside of the organization initially. A technician runs across a series of processes or file transfers, and realizes that internal data is being sent to a third party. This means there needs to be a series of processes, so the right people inside of the organization are notified of this breach. At this point, we may want to go outside of the organization and work with a third party who specializes in these types of data breaches. It may be possible to gather additional information with their assistance, and they may be able to locate and stop any additional breach. Once this initial phase is over, it’s time to inform the public of the data breach.

There are a number of security breach notification laws in almost every geography, all 50 US states, the European Union, Australia, and almost every other country has laws regarding public disclosure. Normally, these disclosures occur relatively quickly but there may be times when criminal investigations are underway and it may be more important to keep that information private until the investigation is over.

Keeping information private is an important part of maintaining data, but almost everything we would do as an organization has some impact on the privacy of data. If we’re starting up a new business, or creating new business relationships with a third party, or we’re upgrading some of our products or our website, we have the potential for having private data suddenly become public. So we need to understand for each of these projects how data privacy may be impacted.

To be able to do that, we need to perform a privacy impact assessment, or a PIA. We need to understand how these new processes or products will affect the privacy of our customers’ data. This allows us to understand how the data flows will occur prior to implementing these particular projects, so we have the ability to fix these privacy concerns before they actually become an issue. This also gives us a chance to show others how we’re taking care of their data, and we can show them the process we went through to ensure that all of their data remains private. This privacy impact assessment might also allow us to stop a data breach since we can find all of these privacy concerns prior to implementing this project.

There are a number of different places that you can get information on how an organization might be handling data. One of these is through the terms of service. You may hear this referred to as a terms of use, or terms and conditions, or T and C’s. This is a legal agreement and a user commonly has to agree to these terms and conditions prior to using a service. There might also be a separate set of documentation called a privacy notice, or privacy policy. And this may be required depending on where this organization happens to do business. This documents how the organization is going to manage the data that you provide to them, and it also gives you options on what you can do to help protect your data, and who you can contact in that organization for more information.