Companies with poor privacy practices are 80% more apt to suffer data breach

Poor privacy=data breach as reported by Osano was proven July 15 when Twitter was hacked and 130 accounts--including Joe Biden's and Kanye West's--were exposed.

DATA PRIVACY Group of People Digital Devices Wireless Communication Concept

Image: Getty Images/iStockphoto

There's a direct correlation between a company's poor privacy practices and the likelihood of a data breach, according to a report from the data privacy platform Osano, The Osano Data Privacy and Data Breach Link. The report dubs it a "predictive relationship" tying together responsible privacy practices and security outcomes. Businesses with poor privacy practices are 80% more apt to experience a data breach. This was no better illustrated last week, when 130 Twitter accounts were exposed, including those of the democratic presidential nominee Joe Biden and entertainment mogul Kanye West. The fallout: Twitter now has a "very poor" Osano privacy score.

SEE: SSL Certificate Best Practices Policy (TechRepublic Premium)

Osano's privacy score was developed as a response to the increasingly challenging landscape of data privacy. The evaluation measured the privacy practices of 11,000 websites against 163 factors. The benchmark for privacy performance included if commerce is involved, if shares or licenses data is provided to third parties or affiliates or if a company willfully collects data on children younger than 13.

The notable key findings are a confirmation of common sense. In addition to poor privacy policy resulting in an 80% possible data breach, companies with the lowest privacy scores lost 600% more records than companies at the other end of the scale, with the highest scores. 

In the last 15 years, 2.77% of companies reported a data breach.

Worst privacy scorers are also the least likely to be able, in retrospect, to identify the root of the breach. The highest number of data breaches were from hacker attacks, and financial industries were the most likely of businesses to be caused by inside or within-the-company  jobs. 

Governments are not only most likely to be breached, but have the lowest scores. Education and government websites are 15 times more likely to experience a breach than commercial websites. Nearly 30% of sites with .gov or .edu domains have suffered data breaches.

SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)

"In the face of nonstop breaches and increased data security awareness, consumer and shareholder confidence in businesses is slowly eroding. Businesses that fail to protect sensitive data will face serious negative consequences, and the report proves just how these phenomena move hand-in-hand," said Osano co-founder and CEO Arlo Gilbert, in a press release. "There is a perception that privacy issues are akin to a speeding ticket--a risk worth running. Companies that don't change their perception are facing higher odds of experiencing a data breach and losing the trust they've built with their customers."

The Osano report found that there are many causes for data breaches and low Osano privacy scores including:

  • Willful ignorance
  • Oversight of privacy best practices that increase risk exposure
  • Company culture
  • Third-party vendors

The average business shares data with 750 different vendors, and third parties were deemed responsible for two of every three data breaches. 

The key trends Osano identified were: 

  • The growing challenges of changing vendor policies and notifications,
  • The more public awareness and subsequent concern over data privacy, and 
  • The increasing legislative activity, which directly relates to data security. 

Those with the highest privacy scores (referred to as "top quartile") make a proactive effort to be transparent about data practices and their policies are expected to be "readable and fair." The second quartile are generally good internet citizens who may share some data, but generally with a user opt-out consent. The third quartile shares data without user consent, hides onerous items in documents and is likely to engage in data brokering. Lastly, the bottom quartile have very antiquated privacy policies or no privacy policy at all, they may participate in non-consensual sharing of sensitive data with third parties, or are engaging in other data privacy practices that put their users at risk. 
 
The bottom line is for companies to avoid data breaches, they need to adopt the practices of the top scorers from Osano's report and have a profound understanding that companies with insufficient policies and poor privacy protections are much more likely to experience accidental disclosures, hacking attacks, and other data-related incidents. 

Also See