Why It Matters
Data breaches have become one of the most costly and common business risks. The average cost of a data breach reached $4.88 million in 2024 (IBM Cost of a Data Breach Report), and the frequency continues to increase. Beyond financial loss, breaches destroy customer trust, trigger regulatory investigations, and in severe cases lead to class-action lawsuits and executive terminations.
Types of Data Breaches
By Method
- Cyberattack — hacking, malware, ransomware, SQL injection, zero-day exploits
- Social engineering — phishing, pretexting, business email compromise
- Insider threat — malicious employees or contractors stealing data
- Human error — emailing data to wrong recipient, misconfigured cloud storage, lost devices
- Physical breach — stolen laptops, break-ins, unauthorized access to server rooms
- Third-party breach — a vendor or supplier is compromised, exposing your data
By Data Type
- Personal data — names, addresses, emails, phone numbers (triggers GDPR)
- Financial data — credit cards, bank accounts, payment information (triggers PCI DSS)
- Health data — medical records, prescriptions, insurance (triggers HIPAA)
- Credentials — usernames, passwords, access tokens
- Intellectual property — trade secrets, proprietary code, research
- Government/classified — national security information
The Numbers
- Average cost: $4.88 million per breach globally (IBM, 2024)
- Average time to identify: 194 days
- Average time to contain: 64 days
- Breaches involving stolen credentials: 16% of all breaches
- Most expensive sector: Healthcare ($9.77 million average)
- Cost savings with incident response team: $2.66 million less per breach
Notification Obligations
| Regulation | To Whom | Deadline | Trigger |
|---|---|---|---|
| GDPR | Supervisory authority | 72 hours | Risk to individuals |
| GDPR | Affected individuals | Without undue delay | High risk to individuals |
| HIPAA | HHS + individuals | 60 days | Breach of unsecured PHI |
| NIS2 | National CSIRT | 24h (early warning), 72h (full) | Significant incident |
| CCPA | Affected consumers | Expeditiously | Breach of unencrypted PI |
| SEC Reg S-P | Affected individuals | 30 days | Sensitive customer info |
Response Steps
- Contain — isolate affected systems, revoke compromised credentials
- Assess — determine scope, data involved, number of individuals affected
- Notify — regulatory authorities and affected individuals within required deadlines
- Investigate — root cause analysis, forensic examination
- Remediate — patch vulnerabilities, strengthen controls
- Learn — post-incident review, update incident response plan
Key Regulation
- GDPR Articles 33–34 — breach notification obligations
- HIPAA Breach Notification Rule — healthcare breach reporting
- US state breach notification laws — all 50 states have breach notification laws
- NIS2 Article 23 — cybersecurity incident reporting