What Is a Data Breach?

A data breach occurs when personal data is exposed to unauthorized access, disclosure, alteration, loss, or destruction. Data breaches can result from a wide range of causes, including cyberattacks (such as hacking, phishing, ransomware, and malware), insider threats (disgruntled or careless employees), system vulnerabilities (unpatched software, misconfigured databases), physical theft of devices, and accidental exposure (such as sending personal data to the wrong email recipient or leaving a database publicly accessible). The consequences of a data breach can be severe for both the individuals whose data is compromised and the organizations responsible for protecting it.

Under the GDPR, a personal data breach is specifically defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. The GDPR classifies breaches into three types: confidentiality breaches (unauthorized disclosure or access), integrity breaches (unauthorized alteration), and availability breaches (accidental or unauthorized loss of access or destruction). Importantly, a breach does not have to involve a malicious actor -- accidentally deleting a database without a backup, or a ransomware attack that encrypts data making it inaccessible, both qualify as personal data breaches.

Data breach notification obligations are a cornerstone of modern privacy regulation. Under the GDPR, controllers must notify their supervisory authority within 72 hours of becoming aware of a breach that poses a risk to individuals' rights and freedoms. If the breach is likely to result in a high risk, affected individuals must also be notified without undue delay. In the United States, all 50 states have data breach notification laws with varying requirements, and the CCPA provides a private right of action for consumers whose unencrypted personal information is breached due to a business's failure to implement reasonable security measures, with statutory damages of $100 to $750 per consumer per incident.

The financial impact of data breaches is staggering. According to IBM's annual Cost of a Data Breach report, the global average cost of a data breach exceeded $4.4 million in 2023, with healthcare industry breaches averaging over $10 million. These costs include forensic investigation, notification expenses, legal fees, regulatory fines, credit monitoring services for affected individuals, business interruption, and long-term reputational damage. Prevention strategies include implementing robust access controls, encrypting sensitive data, conducting regular security audits and penetration testing, training employees on phishing awareness, maintaining incident response plans, and ensuring that all vendors and processors meet adequate security standards through data processing agreements.