Technology
Definition
A data breach is a security incident in which unauthorized parties gain access to sensitive, protected, or confidential information — triggering legal notification obligations, regulatory investigations, and significant financial and reputational damage.
A data breach occurs when an unauthorized party accesses, copies, transmits, views, steals, or uses protected information. Breaches can result from external attacks (hackers exploiting vulnerabilities, phishing attacks that steal employee credentials, ransomware that encrypts and exfiltrates data), insider threats (disgruntled or careless employees accessing data they shouldn't), or accidental exposure (misconfigured cloud storage, accidentally emailed sensitive files, lost unencrypted devices). The type of data exposed — personal information, payment card data, health records, credentials — determines which regulatory frameworks are triggered.
Breach notification laws create strict timelines and procedures that affected organizations must follow. GDPR requires notification to the relevant supervisory authority within 72 hours of becoming aware of a breach (if it poses risk to individuals) and notification to affected individuals without undue delay. US state breach notification laws vary — most require notification to affected state residents within 30–90 days, with California among the most stringent. HIPAA requires notification to affected individuals within 60 days and to HHS, with media notification required for breaches affecting more than 500 residents of a state. Failure to notify on time is itself a violation that compounds penalties.
The full cost of a data breach extends well beyond the immediate remediation. IBM's annual Cost of a Data Breach Report consistently shows average total costs of $3–5 million for mid-market breaches — including incident response, legal fees, notification costs, regulatory fines, credit monitoring for affected individuals, customer attrition, and increased insurance premiums. Ransomware attacks often involve data exfiltration (the threat actor steals the data before encrypting it), meaning paying the ransom does not eliminate the breach notification obligations.
Many businesses believe they are too small to be targeted by cybercriminals — but attackers increasingly automate their attacks and target small and mid-market businesses precisely because they have weaker defenses. The legal and financial consequences of a breach can be existential for a small company. A cybersecurity consultant can assess your current exposure, implement the most impactful preventive controls, and help you build an incident response plan so that if a breach does occur, you can execute quickly and correctly rather than improvising under pressure.
For any business that stores personal data — and virtually every business does — working with a technology attorney to understand your specific notification obligations under applicable laws (GDPR, CCPA, state laws, sector-specific regulations) before a breach occurs is far less costly than scrambling to interpret them in the middle of an incident.