What if I told you I could predict your organization's likelihood of experiencing a data breach by looking at your company?
No, I'm not a hacker, peering into the code to look for vulnerabilities. In fact, anyone should be able to perform the same trick. All it takes is a perusal of the various statements you make about privacy — your cookie notice, EU General Data Protection Regulation statement, privacy notice, terms and conditions, and other such necessary parts of every major company. The posture you take in such notices directly correlates with the chances you'll suffer a data breach and need to tell the world about it.
How is that possible? That probably requires some soul searching on the part of the organizations that make various decisions in their desire to go, as they say, "beyond compliance."
The discovery was a complete accident. We were focused on developing an objective measure of how well organizations handle personal data. Our hands were already full thoroughly evaluating the most popular 11,000 companies on the internet based on 163 factors related to personal information handling.
Do they sell, license or otherwise share data with third parties? Do they handle the information of people under the age of 13? Do they use personal data for targeted advertising? You get the idea. We all know that many organizations walk right up to the edge of what's lawful in privacy. In contrast, others make decisions to handle data in a more privacy-friendly way, based on business practice, corporate ethics and other factors. We wanted to create a quick and easy way for consumers to get a feel for where on that spectrum an organization might be.
While developing privacy scores, we discovered something we weren't looking for: Those with low privacy scores seemed to keep popping up in the news with ugly-looking data breaches. But why would that be? Isn't preventing breaches primarily information security work, while cleaning them up and managing them (and perhaps minimizing the damage) is mostly the work of privacy? How could policy affect the ability of a hacker to penetrate a firewall?
So, we decided to take a more rigorous look. Maybe we just saw a handful of coincidences, an effect of confirmation bias. It turns out the pattern is real.
In our new report, "The Data Privacy and Data Breach Link," we outline what we have found is a direct and hard-to-ignore link between an organization's privacy posture and the likelihood of a publicly reported breach in the last 15 years. While, overall, 2.77% of the organizations with the top 11,000 websites in the world by traffic numbers have experienced a publicly announced data breach in the last 15 years, that number increases to 3.66% for those with privacy scores in the bottom quartile.
And if they're in the top quartile? That number drops to 1.86%.
Yep, those in the bottom quartile are 80% more likely to experience a breach than those with the best scores.
Why? Well, that's where the introspection comes in. We often hear, in the privacy industry, about "creating a culture of privacy." However, I think there is a bit of skepticism around that term, especially among executives. Who cares about culture? Isn't breach prevention about spending money on top-of-the-line infosec?
Well, maybe. It's certainly possible that those organizations that go "beyond compliance" with their privacy policies are more likely to prioritize spending on infosec.
It's more likely those organizations that choose to make privacy a priority are more likely to develop a culture of privacy within their organization that extends to those everyday employees who handle data and might think a second time about clicking that link in the phishing email. Also, privacy-focused organizations are more likely to limit the amount of data they share with third-party vendors and proactively scrutinize if their vendors should be trusted with users' personal data. Experts estimate that third parties were responsible for two out of every three data breaches.
What decisions has your organization made? How have you communicated your positions on privacy, both externally and internally? It might be worth a second look.
You just might head a data breach off at the pass.
Photo by Drew Beamer on Unsplash