In spite of a seemingly never-ending stream of high profile data breaches and hacks, a worrying number of organizations still feel that updating and optimizing privacy practices is a backburner item. A new study from data privacy compliance platform Osano provides some very sharp and eye-popping numbers to the contrary; sloppy privacy practices can be tied directly to an 80% increase in the likelihood of being breached.
“We’re seeing this premise play out in events happening today,” according to Arlo Gilbert, CEO and co-founder of Osano. “Last Wednesday, Twitter suffered a breach that exposed 130 accounts, and perpetrators downloaded personal data from eight accounts, which could now trigger CCPA regulations. Twitter has a Very Poor Osano Privacy Score, so the breach shouldn’t be surprising. We saw a similar example with Capital One. In July 2019, the company suffered a breach that exposed 100 million of its customers, and incurred $150 million in fines. Before the breach, their Privacy Score was poor and in the aftermath of the breach, after the company cleaned up its security and privacy policies, their privacy score went up. Twitter and CapitalOne are a perfect case studies to underscore how privacy is a predictive indicator of impact in a data breach.”
The link between privacy practices and data breaches
The Osano study incorporated the 11,000 most-visited websites, and evaluated them on a detailed new ratings scale that is based on the terms in their privacy policies. About 2.77% of these sites, or roughly 305, experienced data breaches at some point in the previous 15 years.
Poor privacy practices nearly double a company’s odds of landing in that not-so-illustrious group.
What leads to this sharp increase in the odds? Osano identifies three primary areas of concern that cut across all industries: how data is shared with vendors, how companies respond once notified of data breaches, and the level of preparation for attacks by hackers. Additionally, companies in the financial industry have a specific elevated risk of data breaches due to inside jobs. And government and educational institutions with top-level “.gov” and “.edu” domains are almost 27% more likely to experience data breaches than other types of organizations.
So what constitutes “poor privacy practices” in this context? The study evaluated websites according to 163 different factors, assigning each a final overall score in the range of 300 to 850 (similar to the range used for United States credit scores). Factors included policies about selling data to (or sharing it with) third parties, use of data for targeted advertising, end user privacy policies that can be easily found and understood by the average person, and whether data on children under the age of 13 was collected among other factors. The study led to the creation of PrivacyMonitor.com, a site maintained by Osano that will display the privacy score of any website that has been evaluated by the platform.
The study demonstrates that this privacy score directly correlates with the likelihood of data breaches. Some elements of this are obvious; for example, the more sources that an organization shares user data with, the more possible points of compromise there are. Some are known points of concern, but perhaps have been underestimated. For example, the study found that every two out of three data breaches was caused by a third-party vendor and that the average company now shares data with about 750 of these vendors.
To put it in more concrete numbers, the study indicates that 1.86% of all websites with strong privacy practices can expect to weather data breaches at some point. 3.36% of those with poor privacy practices can expect to be breached.
The study also compared the relative amount of damage that breached companies experience based on their privacy practices. Once again, sloppy shops can expect to get the worst of it. There is an even stronger disparity here, however. Poor privacy practices lead to an average loss of 7x the amount of records, or 53.4 million collectively among these sites compared to 7.7 million from the sites with stronger policies in place.
Other relevant numbers
The study indicates that the overwhelming majority of data breaches are caused by hackers; 85.3% in total. The next-highest number is due to inside jobs (at 6.7%), with most of these incidents happening in the financial industry. All other types of data breaches (unintended disclosure, lost device, unknown source) were under 1% each.
The study also shows a correlation between government and education sites having the highest rates of data breaches and also having the lowest overall privacy scores.
To close out the study, Osano identifies three trends that organizations can make immediate use of to improve their privacy practices and harden defenses. The first is the observation that vendor policies are now updated as often as once a month, and 25% of the time they are not proactively communicated to partners, so it is imperative to have an automated system in place that monitors these updates. The second is that organizations can expect the public to increasingly reject sites that do not respect their data privacy; Pew research from this year indicates that over 50% of end users will now pass on a product or service if they have privacy concerns about it. And the third is to expect an imminent expansion of data privacy law, particularly in the United States where recent research shows that 72% of the population supports a federal standard.
Osano identifies consent management, data subject rights, data mapping and vendor monitoring as the four most immediate areas that organizations should be taking action in.