We regret to inform you that we will no longer be publishing Information Management. It has been an honor to provide you with the insights and connections to move your career forward. We wish you continued success on your professional journey and welcome you to explore our other titles at www.arizent.com/brands.

Data breaches aren’t a matter of if, but when. Here's how to respond.

As consumers continue to turn to an ever-greater number of online services, many have become fatigued by how many passwords they’re expected to remember and the number of accounts they’ve created. Caution around giving out personally identifiable information (PII) online has given way to an atmosphere of tepid indifference. There are still distressing disparities between perceptions and reality among U.S. adults concerning data breaches and PII exfiltration.

My firm, 4iQ, recently surveyed 2,300 U.S. adults around their perceptions concerning data breaches and identity protection, and one key finding was that a majority of Americans (55%) believe that it’s likely their PII is already in the hands of criminals. The shocking aspect of this statistic is that it’s so startlingly low. The unfortunate truth is that the number of us who will have our PII exfiltrated at some point is much closer to 100%.

These low numbers suggest that many still do not understand the modern environment of cyber threats. It may not matter how safe or cautious individual consumers are with their data. Large organizations have become prime targets, and a single breach could result in the exfiltration of data on millions of consumers.

Once this data is released to underground communities, it often gets compiled into databases traded and sold by bad actors. Information that you may have entrusted to mainstream websites or companies, even many years ago, may find its way onto these aggregated lists without you having any idea. Stolen identity attributes such as your email address, password, passport number, healthcare record, prescription purchases, etc. – are being collected. This data could be used years down the line to attempt account takeovers or identity fraud – the attack could, and likely would, appear completely out of the blue, without warning.


Our survey also found that 44% of respondents said they have already been notified that they were victims of a breach. Despite this, only 62% are concerned that their PII could be used to commit fraud.

We know that many breaches are not disclosed (due to the fear of the penalty, from a financial and reputational standpoint), so if the percentage that have been notified is already as high as 44%, then the number that have already had their information breached is certainly much higher. Among the victims that were notified, 84% stated that they were offered identity protection services. This is a positive development, and certainly one that should continue.

Organizations should make sure to offer remediation and protection, not only to recompense their customers, but to protect their brands as well. Despite this, over half of respondents, 54%, felt it wasn’t enough. It’s clear that consumers feel that more needs to be done.

Additionally, consumers feel stressed by the burden of managing their PII, and they also feel as if they aren’t getting enough help. Interestingly, 52% believe that if they committed an online security error, it would negatively impact their standing with their employer, and 60% believe there’s a “blame-the-victim” mentality.

Organizations will need to work to alleviate this stress by improving their responses to breaches, and by placing more stringent protections in place. As bad actors become increasingly sophisticated, organizations with vast amounts of data will need to take an especially serious and modernized approach to data security protection.

Furthermore, employees should not immediately be seen as the scapegoat when it comes to accidental exposures – a common type of data breach that can be attributed to human error. Sure, cyber negligence in the workplace does occur, but if the organization does not provide adequate training on proper cyber hygiene, who is really at fault?

It’s likely that the public is not aware of how sophisticated modern cybercriminals are with their attacks. The image of a lone hacker, illuminated by the light of a monitor in a dark basement, still dominates the public consciousness. In fact, criminal networks are increasingly corporatizing their activities. Organized groups occupy entire office blocks. They function much like any other business – their employees even have KPI targets.

For many companies, it is not a matter of if, but when – every organization should expect to have their data exfiltrated at some point. The Chinese have recruited a “hacker army,” numbering somewhere between 50,000 to 100,000, dedicated to seizing valuable U.S. data. Even with the best protection, it is extremely difficult, if not impossible, for a business or corporation to fight against that. With that in mind, organizations will need to develop contingency plans in the event of a breach. When it happens, you’ll want to be prepared.

In the event of a bank robbery, most patrons won’t blame the bank. However, if the bank appears grossly negligent, or if they fail to compensate the patrons, then they’re much more likely to start getting scrutinized. As awareness of cybersecurity issues grow, the American public will increasingly come to view the exfiltration of their data as a future certainty.

Organizations may be able to escape blame for the breaches, but they won’t be extended such leniency if it appears they failed in their due diligence or if they fail to display serious resolve in remediating the issue. As responsible business actors, it behooves all of us to use our peace time wisely, administer cybersecurity training for employees, prepare for the worst, develop contingency plans in the event of a breach, and have the courage to properly confront breaches when they do occur.

For reprint and licensing requests for this article, click here.