Privacy is an important concept about the right of individuals to keep their personal information secure from unauthorised access or intrusion
A privacy breach can have wide-ranging ramifications from financial losses, regulatory fines, reputational damage, to legal liabilities for emotional distress. It's important for individuals, businesses, and organisations under understand their legal and regulatory obligations. Legal frameworks aim to safeguard personal information and can levy significant fines for failing to protect personal data. Under UK GDPR and the Data Protection Act 2018, fines can reach £17.5 million or 4% of global turnover.
Privacy is the right of individuals to keep their personal information secure from unauthorised access or intrusion. Privacy breaches typically occur due to intentional misconduct, negligence, or cyber-security failures. While, technology is having an increasing role in both enhancing and compromising individual's privacy.
What is a breach of privacy?
A breach of privacy involves the unauthorised access, use, or disclosure of personal information. This breach can lead to significant harm, including financial loss, identity theft, and erosion of trust. In the digital age, breaches of privacy have become more prevalent and complex, involving various forms of data and communication.
- Unauthorised data access occurs when individuals or entities gain access to personal information without permission. This can happen through hacking, social engineering, or exploiting security vulnerabilities. An example of this could be phishing, where fraudsters use deceptive emails or websites to trick individuals into providing personal information.
- Data leaks occur when personal information is inadvertently exposed to unauthorised parties. This can result from poor security practices, human error, or inadequate safeguards. These can include sending sensitive information to the wrong email address can result in a privacy breach. For example, in 2020, an NHS Trust in the UK accidentally emailed personal details of 1,000 patients to an incorrect recipient.
- Unauthorised surveillance involves monitoring individuals' online activities without their consent. This can be conducted by governments, organisations, or malicious actors. This could involve malicious software installed on devices to monitor activities and steal information. The Pegasus spyware scandal revealed how governments used spyware to monitor activists, journalists, and political opponents.
- Data exploitation involves using personal information for purposes other than those consented to by the individual. This can include selling data to third parties or using it for unauthorised research. An example of data exploitation could be found in 2018, when it was revealed that Cambridge Analytica harvested data from millions of Facebook users without consent and used it for political profiling and targeted advertising during elections.
Professional indemnity insurance
Cyber insurance
General Data Protection Regulation (GDPR)
The GDPR is one of the most comprehensive and influential privacy laws globally, enacted by the European Union and enforced since May 2018. GDPR grants individuals several rights, including the right to access their data, the right to correct inaccuracies, the right to erasure (also known as the right to be forgotten), and the right to data portability.
Companies must obtain explicit consent from individuals before collecting and processing their personal data. Companies are required to implement data protection measures from the outset of designing new systems and processes and notify relevant authorities within 72 hours of discovering a data breach that risks individuals' rights and freedoms.
Consequences of a privacy breach
1. Investigation costs for potential breaches of privacy
2. Notification costs to inform individuals of a privacy breach
3. Legal costs and damages arising from for a privacy breach
4. Fines levied for non-compliance and breaches of GDPR
5. Reputational damage, negative publicity and customer loss
6. Costs of additional services such as credit monitoring
Examples of privacy breaches
Equifax Data Breach (2017) - Equifax, one of the largest credit reporting agencies, experienced a massive data breach in 2017. The breach exposed personal information, including names, Social Security numbers, birth dates, addresses, and, in some cases, driver's license numbers of approximately 147 million people. The breach led to widespread concern about identity theft and financial fraud. Equifax faced severe reputational damage, regulatory scrutiny, and legal action, resulting in a settlement of up to $700 million to compensate affected consumers and improve security measures. This highlighted the importance of timely software updates, as the breach exploited a known vulnerability in a web application framework that had not been patched.
Facebook Cambridge Analytica Scandal (2018) - Cambridge Analytica, a political consulting firm, acquired data from millions of Facebook users without their explicit consent. The data was harvested through a personality quiz app, which collected information not only from users who took the quiz but also from their friends' profiles. Approximately 87 million Facebook users were affected. The scandal raised significant concerns about data privacy, political manipulation, and the ethical use of personal information. Emphasized the need for stricter data protection policies and greater transparency in data handling practices by social media platforms.
Marriott International Data Breach (2018) - Marriott International announced that hackers had accessed the Starwood guest reservation database, affecting up to 500 million guests. Exposed information included names, passport numbers, email addresses, and credit card details. The breach damaged Marriott’s reputation and raised concerns about the security practices of hospitality companies. Marriott faced fines and lawsuits, including a $123 million fine imposed by the UK’s Information Commissioner's Office under GDPR. Highlighted the need for thorough security integration during mergers and acquisitions, as the breach originated from the acquired Starwood database.
Yahoo Data Breaches (2013-2014) - Yahoo experienced two major data breaches, one in 2013 and another in 2014, compromising all three billion user accounts. Exposed information included names, email addresses, telephone numbers, birth dates, hashed passwords, and security questions and answers. The breaches led to a significant loss of user trust and a reduction in Yahoo's acquisition price by Verizon. Yahoo faced regulatory scrutiny and numerous lawsuits from affected users. Highlighted the importance of proactive security measures and timely breach disclosure to mitigate damage and maintain user trust.
Capital One Data Breach (2019) - Capital One disclosed a data breach affecting approximately 106 million individuals in the US and Canada. Exposed information included names, addresses, credit scores, Social Security numbers, and linked bank account numbers. The breach led to regulatory investigations and class-action lawsuits. Capital One faced significant costs related to breach notification, credit monitoring services, and regulatory fines. Highlighted the importance of cloud security practices and internal access controls, as the breach involved a misconfigured web application firewall.
Read about breaches of copyright
About the author
Ryan Nevin is an Account Broker at Get Indemnity™ - he is an ambitious professional who is currently studying towards being a Chartered Insurance Broker.