{"id":77013,"date":"2019-03-04T20:35:10","date_gmt":"2019-03-05T02:35:10","guid":{"rendered":"https:\/\/news.medill.northwestern.edu\/chicago\/?p=77013"},"modified":"2019-03-04T20:35:10","modified_gmt":"2019-03-05T02:35:10","slug":"facing-inevitable-data-breaches-and-new-privacy-laws-companies-shift-focus-to-response","status":"publish","type":"post","link":"https:\/\/news.medill.northwestern.edu\/chicago\/facing-inevitable-data-breaches-and-new-privacy-laws-companies-shift-focus-to-response\/","title":{"rendered":"Facing inevitable data breaches and new privacy laws, companies shift focus to response"},"content":{"rendered":"

By Tyler Sonnemaker<\/strong>
\nMedill Reports<\/em><\/p>\n

The number of data breaches has skyrocketed in recent years, with high-profile incidents involving major companies such as Facebook and Uber, financial institutions and government agencies<\/a>. According to a report <\/a>from the Identity Theft Resource Center, 1,579 incidents \u2014 involving nearly 179 million records \u2014 occurred in 2017 alone.<\/p>\n

That amounts to more than four incidents per day, and there are likely many more that go undetected. As a result, hundreds of millions of people have had their personal information stolen.<\/p>\n

For everyday internet users, it\u2019s easy to become numb to news about data breaches. And with the sheer volume of records leaked, it\u2019s hard to determine whether to be concerned about a particular incident or whether to stop using products and services from a company that has exposed your data.<\/p>\n

At the same time, it\u2019s impossible for businesses, government agencies and other organizations that collect and store your data to completely guarantee safety.<\/p>\n

\u201cCybersecurity is an oxymoron and a data breach is inevitable,\u201d said John Reed Stark, an independent cybersecurity consultant and former chief of the SEC\u2019s Office of Internet Enforcement.<\/p>\n

But that inevitability doesn\u2019t mean giving up entirely. Instead, it just changes how companies must approach cybersecurity, requiring them to go beyond preventative measures.<\/p>\n

\u201cIt\u2019s important to have the latest tools and technology because the threat is evolving,\u201d Stark said, but added that \u201cit\u2019s even more important to have the proper governance and proper response framework in place.\u201d<\/p>\n

Stark recommended companies hire an independent cybersecurity firm immediately after learning of a breach. He compared it to going to the doctor \u2014 the doctor gets paid whether the results are good or bad, so there\u2019s no incentive to skew the findings.<\/p>\n

Companies, cybersecurity professionals, and policymakers alike have started paying more attention to how breach victims respond to an incident.<\/p>\n

\u201cCompanies are recognizing that they need to be prompt in disclosing the breaches,\u201d said Michelle Cohen, a partner at Ifrah Law and chair of its privacy and data security practice. They must be \u201ctransparent with consumers and regulators regarding what happened, what may have been compromised and what the company is offering to do to remedy the situation,\u201d Cohen added.<\/p>\n

Each incident is unique, from the laws governing the organization involved to the type of information compromised. But this shift in thinking means consumers and regulators must look to new metrics \u2014 such as how long it takes a company to both discover and disclose a breach.<\/p>\n\n\n