A data breach – and now what? 1


Just before 2018 ended, the news broke of the largest data breaches of the past few years.

On 30 November, the global hotel chain Marriott, announced that the database of their booking system, Starwood, had been compromised. On Friday 4 January 2019, they released an update, revealing that 383 million records had been accessed by hackers. These records included 5.25 million unencrypted passport numbers and 8.6 million encrypted payment cards.

Needless to say, such a data breach is one of the worst nightmares a company can imagine. Customers’ trust in the company will take a blow, significant recourses need to be put in place to mitigate effects, and last but not least, the regulators could start an investigation.

And don’t be fooled; a data breach can happen to anyone. Due to its size and familiar name, the Marriott breach made the news headlines, but there are many more breaches we never hear about. In the 7 months alone that the GDPR has been in force, the European Supervisory Authorities have been notified of 27,000 data breaches. That’s over a hundred breaches per day. Just in Europe.

Also, they cost money. A recent IBM study found some interesting numbers on data breaches:

  • Average total cost of a data breach:  $3.86 million
  • Average total one-year cost increase:  6.4%
  • Average cost per lost or stolen record:  $148

These numbers are based on interviews with more than 2,200 IT, data protection, and compliance professionals from 477 companies that have experienced a data breach over the past 12 months.

Thankfully, there are ways to reduce the risks and minimise the impact of a data breach. For researchers, applying the principles of the ICC/ESOMAR International Code should be an excellent start. These principles include data minimisation, security and purpose limitation and, when applied, ensure that you keep only the minimal data you need for your work. Delete as much as you can, as soon as you can so that in the event you lose control of your databases, there is a lot less to find! Applying state-of-the-art security will protect you against unwanted access.

Having the right organisational measures in place will help you mitigate the impact of a breach; make sure your team knows what to do when a breach is discovered! During a breach, you and your colleagues will have to be able to investigate quickly the causes and actions to be taken. During this you will be liaising with the DPA on additional remedial actions. You will need to also potentially communicate with your users who are affected by the breach. This should not be decided on the fly, so make sure there are clear protocols developed and are regularly rehearsed.

ESOMAR also offers several tools to help you build a compliance framework. To kick-start this implementation, we have developed a Data Protecting Checklist which will walk you through these principles and guides your company’s data protection team in their day-to-day work.  You may also find it useful to have a look at our free GDPR resources at https://www.esomar.org/gdpr

Finally, ESOMAR Corporate Members can obtain access to ESOMAR Plus, the exclusive ESOMAR Membership consultancy package tailored to help with your legislative needs. Through that service we offer a unique set of skills and expertise on a global scale, tailored to your specific market research and insights needs. Just have a look at https://www.esomar.org/esomar-plus to learn more!