Skip to main content

    We value your privacy

    We use cookies to enhance your browsing experience, analyze site traffic, and personalize content. By clicking "Accept All", you consent to our use of cookies. Read our Cookie Policy to learn more.

    Skip to main content
    Back to Glossary
    security
    2 min read

    Data Breach

    A data breach is a security incident where protected, sensitive, or confidential data is accessed, disclosed, or stolen by unauthorized parties.

    A data breach occurs when personal or sensitive information is exposed to unauthorized access. Breaches trigger legal notification requirements and can cause significant harm.

    Types of breaches: - External Attack: Hacking, malware, phishing - Insider Threat: Employees or contractors - Accidental Exposure: Misconfiguration, lost devices - Vendor Breach: Third-party compromise

    Breach response steps: 1. Contain and investigate 2. Assess scope and impact 3. Notify regulators (if required) 4. Notify affected individuals 5. Remediate and improve defenses

    Notification requirements: - GDPR: 72 hours to regulator - HIPAA: 60 days to HHS and individuals - State laws: Typically 30-60 days

    Why It Matters

    The average data breach costs $4.88 million and takes 277 days to identify and contain. Beyond direct costs, breaches cause lasting reputational damage—customers lose trust, stock prices drop, and regulatory scrutiny intensifies. Organizations with strong security controls, incident response plans, and compliance certifications like SOC 2 experience significantly lower breach costs and faster recovery.

    Key Points

    Must be reported within regulatory timeframes
    GDPR requires 72-hour regulator notification
    Document all breach response actions
    Legal counsel should be involved
    May result in fines and lawsuits

    Applicable Compliance Frameworks

    GDPRHIPAAPCI DSSSOC 2

    Related Terms

    Incident Response

    Incident response is a structured approach to preparing for, detecting, containing, and recovering from security incidents while minimizing damage.

    GDPR

    GDPR (General Data Protection Regulation) is the EU's comprehensive data privacy law that governs how organizations collect, process, and protect personal data of EU residents.

    HIPAA

    HIPAA (Health Insurance Portability and Accountability Act) is a US federal law that establishes standards for protecting sensitive patient health information (PHI) from disclosure without consent.

    Frequently Asked Questions

    When do I need to notify about a breach?

    Depends on the law and breach impact. GDPR requires notification within 72 hours. Many US state laws require notification within 30-60 days.

    What is the average cost of a data breach?

    According to IBM, the average cost in 2024 was $4.88 million globally, with healthcare having the highest at over $10 million.

    Related Services & Resources

    Service

    Vanta Implementation

    Expert Vanta deployment with 80+ integrations configured in 4-6 weeks

    Learn more
    Service

    Drata Implementation

    Full Drata setup with automated evidence collection and control mapping

    Learn more
    Standard

    ISO 27001 Certification

    International standard for information security management

    Learn more
    Standard

    ISO 9001 Certification

    Quality management system standards

    Learn more
    Resource

    SOC 2 Complete Guide

    Everything you need to know about achieving SOC 2 compliance

    Learn more
    Resource

    HIPAA Checklist

    Comprehensive checklist for HIPAA compliance requirements

    Learn more

    Need Help with Data Breach?

    Our experts can help you understand and implement the right controls for your organization.

    Talk to an ExpertBrowse All Terms