Reports of data loss or extraction during cybersecurity attacks are increasing. Network infiltrations often go unnoticed while corporate or personal data is compromised. This may include proprietary company information and private data such as names, addresses, ID numbers, bank details or credit card information.
Data privacy and protection regimes such as GDPR, CCPA and BIPA are serving as the foundation for a growing patchwork of regulatory constructs governing the protection of personal information. For example, under GDPR, when personal data is compromised, the EU data protection regulation requires the responsible entity to report the incident to the supervisory authorities within 72 hours of being detected.
Many of these regulations also require a description of the personal data impacted that indicates, where possible, the approximate number of data subjects, categories concerned and affected records. Various jurisdictions in the United States and around the world have and continue to institute similar requirements.