Top 10 Breach/Data Loss Objectives

The Ponemon Institute recently released their Second Annual Benchmark Survey on Patient Privacy and Data Security. The study focused on actual data loss experience from a sample of 72 healthcare organizations. Compared with last year’s data, results indicate a rise in both occurrence and costs. 96% of organizations admitted to suffering from at least one breach within the past 2 years. Based on the study, the estimated financial impact of a data breach is $2,243,700 per organization. When asked which types of negative impacts were directly caused, 81% reported time & productivity loss. Other responses included: fines & penalties (37%) and lawsuits (23%). These percentages are considerably high for preventable attributes. Results depict there is great need for the implementation of incident response plans. Once a breach occurs, there is no need for organizations to expend excessive amounts of time, energy, and additional money on fines and/or class-action suits. If proper notification and breach procedures are practiced beforehand and efficiently followed, these negative impacts can be eliminated.


Co3 Systems created a Top 10 breach/data loss objectives list that helps organizations with the necessary steps in preparation of potential data breach.


Top 10 Breach/Data Loss Objectives


#10:  Know what & where your sensitive data is


  • First, first initial and last name
  • Social security number
  • Bank number / access code
  • Credit card number
  • Drivers license number
  • Unique biometric data
  • Fingerprints
  • State ID number
  • Medical info
  • Which states?
  • Electronic & paper records


  • File servers
  • Storage systems
  • Application servers
  • End-points:  PCs, laptops, mobile devices
  • Paper records

#9: Get rid of the data whenever possible

  • Delete it
  • Replace it
  • Obfuscate it
  • Encrypt it

 #8: Define your policies

  • Processes to be followed by incident type
  • Standardized interpretation of legal / regulatory requirements - Which apply?  Which don’t?  Under what circumstances?
  • Standardized, consistent process through which all incidents are handled
  • Contractual requirements you need to include?

 #7: Run assessments

  • Gauge impact of different data loss scenarios

Cyber breach, lost laptop, etc.

What tasks would you need to complete?

What fines might you be subject to?