No magic bullet to prevent data breaches – but check out these tips

According to the Data Breach Report 2021 of the Data Protection Authority (Autoriteit Persoonsgegevens or AP), last year the Dutch privacy watchdog received 24,866 data breach notifications. That is an increase of 4% compared to 2020 (23,976 notifications). It is remarkable that the proportion of data leaks resulting from cybercrime (hacking, malware, or phishing) is once again rising sharply.

Data breaches resulting from digital attacks now comprise about 9% of the total number of reports, compared with 5% last year. According to the Data Breach Report, the AP received 88% more of these reports last year than in 2020.

The risk of data leaks has been under the spotlight for some time now. It is no coincidence that the Dutch government introduced the Data Leak Notification Act in 2016, and also at the European level new legislation has been developed. Data Leakage Prevention (DLP), the prevention of data breaches, is therefore more important than ever. This calls for extra attention to be paid to well-organized cybersecurity and adequate protection of personal data.

What is a data breach?

A data breach is a breach of security, in which data is transferred to an unauthorized party or is unintentionally lost or modified. The laws and regulations on the protection of personal data specifically describe a data leak as a breach of security involving personal data.

Types of breaches

Data breaches come in all shapes and sizes. Some are technical, while others are physical. In addition, leaks can occur both accidentally and deliberately:

• Physical and deliberate
  Industrial espionage, data theft, employees leaving the company and taking documents with them, leaks of the government’s Budget Memorandum
• Physical but unconscious
  Leaving confidential papers lying around, telling a party about unpublished annual figures, telephone calls on the train about sensitive information, unintentionally deleting a file
• Technical but unintentional
  Covert channels, unintentional sharing of data with third party organizations
• Technical and deliberate
  Hacking, SQL injections, spyware

Why is DLP important?

• Responsibility to customers and employees
• Compliance with European and national legislation
• Protecting your own business
• Preventing reputational damage

Notification obligation

On 1 January 2016, the Notification Obligation for Data Breaches came into effect, as part of the then Data Protection Act (Wbp). The Wbp was replaced in May 2018 by the (Europe-wide) General Data Protection Regulation (AVG). From now on, organizations must, in certain cases, report data breaches involving personal data to the Data Protection Authority.

What you can do to prevent a data breach

Unfortunately, there is no miracle cure that completely prevents data leakage. There are, however, tools - often complex - that monitor digital data traffic and, based on the classification, permit or prohibit certain actions or give a signal when there is a threat of data leakage.

However, these are not total solutions. Therefore, organizations should approach DLP as part of their integral information security policy. Data classification and risk analysis make it clear what the requirements of confidentiality, integrity and availability are for certain data. Measures can then be taken in the following three areas: people, technology and process.

• People-oriented measures
  Increase awareness about information security, alert employees, and clarify what is and is not allowed.
• Technical measures
  From firewalls and antivirus software to preventing data copying, blocking USB ports, and monitoring with DLP solutions.
• Process-oriented measures
  Data classification, risk analysis, backup procedure, incident management, reporting procedure