Menu
Home
People
Places
Arts
History
Plants & Animals
Science
Life & Culture
Technology
Reference.org
Data breach
open-in-new
<h2 id="definition">Definition</h2> <p>A data breach is a violation of "organizational, regulatory, legislative or contractual" law or policy<a class="footnote-ref" id="fnref:2" href="#fn:2"><sup>2</sup></a> that causes "the unauthorized exposure, disclosure, or loss of <a href="/facts/Personal_information/384PbBg5">personal information</a>".<a class="footnote-ref" id="fnref:3" href="#fn:3"><sup>3</sup></a> Legal and contractual definitions vary.<a class="footnote-ref" id="fnref:4" href="#fn:4"><sup>4</sup></a><a class="footnote-ref" id="fnref:5" href="#fn:5"><sup>5</sup></a> Some researchers include other types of information, for example <a href="/facts/Intellectual_property/PqHW9mVP">intellectual property</a> or <a href="/facts/Classified_information/og7wn3tD">classified information</a>.<a class="footnote-ref" id="fnref:6" href="#fn:6"><sup>6</sup></a> However, companies mostly disclose breaches because it is required by law,<a class="footnote-ref" id="fnref:7" href="#fn:7"><sup>7</sup></a> and only personal information is covered by <a href="/facts/Data_breach_notification_laws/QF2IDEjX">data breach notification laws</a>.<a class="footnote-ref" id="fnref:8" href="#fn:8"><sup>8</sup></a><a class="footnote-ref" id="fnref:9" href="#fn:9"><sup>9</sup></a> </p> <h2 id="prevalence">Prevalence</h2> <p class="note">See also: <a href="/facts/List_of_data_breaches/2VrUU7w2">List of data breaches</a></p> <p>The first reported data breach occurred on 5 April 2002<a class="footnote-ref" id="fnref:10" href="#fn:10"><sup>10</sup></a> when 250,000 <a href="/facts/Social_security_numbers/MPmrfRg2">social security numbers</a> collected by the <a href="/facts/State_of_California/zLW2vdQJ">State of California</a> were stolen from a data center.<a class="footnote-ref" id="fnref:11" href="#fn:11"><sup>11</sup></a> Before the widespread adoption of <a href="/facts/Data_breach_notification_laws/QF2IDEjX">data breach notification laws</a> around 2005, the prevalence of data breaches is difficult to determine. Even afterwards, statistics per year cannot be relied on because data breaches may be reported years after they occurred,<a class="footnote-ref" id="fnref:12" href="#fn:12"><sup>12</sup></a> or not reported at all.<a class="footnote-ref" id="fnref:13" href="#fn:13"><sup>13</sup></a> Nevertheless, the statistics show a continued increase in the number and severity of data breaches that continues as of 2022.<a class="footnote-ref" id="fnref:14" href="#fn:14"><sup>14</sup></a> In 2016, researcher Sasha Romanosky estimated that data breaches (excluding <a href="/facts/Phishing/hvgfz4U8">phishing</a>) outnumbered other security breaches by a factor of four.<a class="footnote-ref" id="fnref:15" href="#fn:15"><sup>15</sup></a> </p> <h2 id="perpetrators">Perpetrators</h2> <p>According to a 2020 estimate, 55 percent of data breaches were caused by <a href="/facts/Organized_crime/m2eEga1z">organized crime</a>, 10 percent by <a href="/facts/System_administrators/zNhThrh9">system administrators</a>, 10 percent by <a href="/facts/End_user/7IM9qu7N">end users</a> such as customers or employees, and 10 percent by states or state-affiliated actors.<a class="footnote-ref" id="fnref:16" href="#fn:16"><sup>16</sup></a> Opportunistic criminals may cause data breaches—often using <a href="/facts/Malware/5ee7TLFR">malware</a> or <a href="/facts/Social_engineering_attack/7obTw773">social engineering attacks</a>, but they will typically move on if the security is above average. More organized criminals have more resources and are more focused in their <a href="/facts/Targeted_threat/T5hw3p0y">targeting of particular data</a>.<a class="footnote-ref" id="fnref:17" href="#fn:17"><sup>17</sup></a> Both of them sell the information they obtain for financial gain.<a class="footnote-ref" id="fnref:18" href="#fn:18"><sup>18</sup></a> Another source of data breaches are <a href="/facts/Hacktivism/Pf2eep2m">politically motivated hackers</a>, for example <a href="/facts/Anonymous_(hacker_group)/Qm7Nqlro">Anonymous</a>, that target particular objectives.<a class="footnote-ref" id="fnref:19" href="#fn:19"><sup>19</sup></a> State-sponsored hackers target either citizens of their country or foreign entities, for such purposes as <a href="/facts/Political_repression/aFzYy3S4">political repression</a> and <a href="/facts/Espionage/oaDJ5fAd">espionage</a>. Often they use undisclosed <a href="/facts/Zero-day_(computing)/B1jJkD0C">zero-day vulnerabilities</a> for which the hackers are paid large sums of money.<a class="footnote-ref" id="fnref:20" href="#fn:20"><sup>20</sup></a> The <a href="/facts/Pegasus_spyware/gfDBqYHX">Pegasus spyware</a>—a no-click malware developed by the Israeli company <a href="/facts/NSO_Group/e0wyTlTs">NSO Group</a> that can be installed on most cellphones and spies on the users' activity—has drawn attention both for use against criminals such as drug kingpin <a href="/facts/El_Chapo/6tG5k6wb">El Chapo</a> as well as political dissidents, facilitating the <a href="/facts/Murder_of_Jamal_Khashoggi/fDy86av6">murder of Jamal Khashoggi</a>.<a class="footnote-ref" id="fnref:21" href="#fn:21"><sup>21</sup></a> </p> <h2 id="causes">Causes</h2> <h3>Technical causes</h3> <p>Despite developers' goal of delivering a product that works entirely as intended, virtually all <a href="/facts/Software_bugs/I1uSXySv">software</a> and <a href="/facts/Hardware_bug/dsCVKPmN">hardware</a> contains bugs.<a class="footnote-ref" id="fnref:22" href="#fn:22"><sup>22</sup></a> If a bug creates a security risk, it is called a <a href="/facts/Vulnerability_(computing)/jg0Gr71M">vulnerability</a>.<a class="footnote-ref" id="fnref:23" href="#fn:23"><sup>23</sup></a><a class="footnote-ref" id="fnref:24" href="#fn:24"><sup>24</sup></a><a class="footnote-ref" id="fnref:25" href="#fn:25"><sup>25</sup></a> <a href="/facts/Software_patch/sIHVBPls">Patches</a> are often released to fix identified vulnerabilities, but those that remain unknown (<a href="/facts/Zero-day_(computing)/B1jJkD0C">zero days</a>) as well as those that have not been patched are still liable for exploitation.<a class="footnote-ref" id="fnref:26" href="#fn:26"><sup>26</sup></a> Both software written by the target of the breach and third party software used by them are vulnerable to attack.<a class="footnote-ref" id="fnref:27" href="#fn:27"><sup>27</sup></a> The <a href="/facts/Software_vendor_liability/mgKM87wW">software vendor is rarely legally liable</a> for the cost of breaches, thus creating an incentive to make cheaper but less secure software.<a class="footnote-ref" id="fnref:28" href="#fn:28"><sup>28</sup></a> </p><p>Vulnerabilities vary in their ability to be <a href="/facts/Exploit_(computer_security)/EdlqsRJM">exploited</a> by malicious actors. The most valuable allow the attacker to <a href="/facts/Code_injection/6gPRDpd1">inject</a> and run their own code (called <a href="/facts/Malware/5ee7TLFR">malware</a>), without the user being aware of it.<a class="footnote-ref" id="fnref:29" href="#fn:29"><sup>29</sup></a> Some malware is downloaded by users via clicking on a malicious link, but it is also possible for malicious <a href="/facts/Web_applications/BLkF3BIN">web applications</a> to download malware just from visiting the website (<a href="/facts/Drive-by_download/HzFIzd4h">drive-by download</a>). <a href="/facts/Keyloggers/DQRJfEvc">Keyloggers</a>, a type of malware that records a user's keystrokes, are often used in data breaches.<a class="footnote-ref" id="fnref:30" href="#fn:30"><sup>30</sup></a> The majority of data breaches could have been averted by storing all sensitive information in an encrypted format. That way, physical possession of the storage device or access to encrypted information is useless unless the attacker has the <a href="/facts/Encryption_key/5W5PAmT4">encryption key</a>.<a class="footnote-ref" id="fnref:31" href="#fn:31"><sup>31</sup></a> <a href="/facts/Hash_function/rk6MlCt3">Hashing</a> is also a good solution for keeping <a href="/facts/Password/WEoul230">passwords</a> safe from <a href="/facts/Brute-force_attack/TXl8pkfb">brute-force attacks</a>, but only if the algorithm is sufficiently secure.<a class="footnote-ref" id="fnref:32" href="#fn:32"><sup>32</sup></a> </p><p>Many data breaches occur on the hardware operated by a partner of the organization targeted—including the <a href="/facts/2013_Target_data_breach/oJXpV458">2013 Target data breach</a> and <a href="/facts/2014_JPMorgan_Chase_data_breach/jzu5z4gX">2014 JPMorgan Chase data breach</a>.<a class="footnote-ref" id="fnref:33" href="#fn:33"><sup>33</sup></a> <a href="/facts/Outsourcing/qa3WgJ7u">Outsourcing</a> work to a third party leads to a risk of data breach if that company has lower security standards; in particular, small companies often lack the resources to take as many security precautions.<a class="footnote-ref" id="fnref:34" href="#fn:34"><sup>34</sup></a><a class="footnote-ref" id="fnref:35" href="#fn:35"><sup>35</sup></a> As a result, outsourcing agreements often include security guarantees and provisions for what happens in the event of a data breach.<a class="footnote-ref" id="fnref:36" href="#fn:36"><sup>36</sup></a> </p> <h3>Human causes</h3> <p>Human causes of breach are often based on trust of another actor that turns out to be malicious. <a href="/facts/Social_engineering_attack/7obTw773">Social engineering attacks</a> rely on tricking an insider into doing something that compromises the system's security, such as revealing a password or clicking a link to download malware.<a class="footnote-ref" id="fnref:37" href="#fn:37"><sup>37</sup></a> Data breaches may also be deliberately caused by insiders.<a class="footnote-ref" id="fnref:38" href="#fn:38"><sup>38</sup></a> One type of social engineering, <a href="/facts/Phishing/hvgfz4U8">phishing</a>,<a class="footnote-ref" id="fnref:39" href="#fn:39"><sup>39</sup></a> obtains a user's <a href="/facts/Credential/wsuEjr95">credentials</a> by sending them a malicious message impersonating a legitimate entity, such as a bank, and getting the user to enter their credentials onto a malicious website controlled by the cybercriminal. <a href="/facts/Two-factor_authentication/186gpx8R">Two-factor authentication</a> can prevent the malicious actor from using the credentials.<a class="footnote-ref" id="fnref:40" href="#fn:40"><sup>40</sup></a> Training employees to recognize social engineering is another common strategy.<a class="footnote-ref" id="fnref:41" href="#fn:41"><sup>41</sup></a> </p><p>Another source of breaches is accidental disclosure of information, for example publishing information that should be kept private.<a class="footnote-ref" id="fnref:42" href="#fn:42"><sup>42</sup></a><a class="footnote-ref" id="fnref:43" href="#fn:43"><sup>43</sup></a> With the increase in <a href="/facts/Remote_work/yDcwVn1F">remote work</a> and <a href="/facts/Bring_your_own_device/oACTQ4oK">bring your own device</a> policies, large amounts of corporate data is stored on personal devices of employees. Via carelessness or disregard of company security policies, these devices can be lost or stolen.<a class="footnote-ref" id="fnref:44" href="#fn:44"><sup>44</sup></a> Technical solutions can prevent many causes of human error, such as encrypting all sensitive data, preventing employees from using insecure passwords, installing <a href="/facts/Antivirus_software/GGMqsfkJ">antivirus software</a> to prevent malware, and implementing a robust patching system to ensure that all devices are kept up to date.<a class="footnote-ref" id="fnref:45" href="#fn:45"><sup>45</sup></a> </p> <h2 id="breach-lifecycle">Breach lifecycle</h2> <h3>Prevention</h3> <p class="note">See also: <a href="/facts/Information_security/horlrCln">Information security</a> and <a href="/facts/Data_loss_prevention_software/Gk9zx9Wa">Data loss prevention software</a></p> <p>Although attention to security can reduce the risk of data breach, it cannot bring it to zero. Security is not the only priority of organizations, and an attempt to achieve perfect security would make the technology unusable.<a class="footnote-ref" id="fnref:46" href="#fn:46"><sup>46</sup></a> Many companies hire a <a href="/facts/Chief_information_security_officer/MsljJCfQ">chief information security officer</a> (CISO) to oversee the company's information security strategy.<a class="footnote-ref" id="fnref:47" href="#fn:47"><sup>47</sup></a> To obtain information about potential threats, security professionals will network with each other and share information with other organizations facing similar threats.<a class="footnote-ref" id="fnref:48" href="#fn:48"><sup>48</sup></a> Defense measures can include an updated incident response strategy, contracts with <a href="/facts/Digital_forensics/MPF5Vdpq">digital forensics</a> firms that could investigate a breach,<a class="footnote-ref" id="fnref:49" href="#fn:49"><sup>49</sup></a> <a href="/facts/Cyber_insurance/V93YVnMe">cyber insurance</a>,<a class="footnote-ref" id="fnref:50" href="#fn:50"><sup>50</sup></a><a class="footnote-ref" id="fnref:51" href="#fn:51"><sup>51</sup></a> and monitoring the <a href="/facts/Dark_web/A40ffCpy">dark web</a> for stolen credentials of employees.<a class="footnote-ref" id="fnref:52" href="#fn:52"><sup>52</sup></a> In 2024, the United States <a href="/facts/National_Institute_of_Standards_and_Technology/gr9Fnh85">National Institute of Standards and Technology</a> (NIST) issued a special publication, "Data Confidentiality: Identifying and Protecting Assets Against Data Breaches".<a class="footnote-ref" id="fnref:53" href="#fn:53"><sup>53</sup></a> The <a href="/facts/NIST_Cybersecurity_Framework/b7hxtchl">NIST Cybersecurity Framework</a> also contains information about data protection.<a class="footnote-ref" id="fnref:54" href="#fn:54"><sup>54</sup></a> Other organizations have released different standards for data protection.<a class="footnote-ref" id="fnref:55" href="#fn:55"><sup>55</sup></a> </p><p>The architecture of a company's systems plays a key role in deterring attackers. Daswani and Elbayadi recommend having only one means of <a href="/facts/Authentication/64y4S69b">authentication</a>,<a class="footnote-ref" id="fnref:56" href="#fn:56"><sup>56</sup></a> avoiding redundant systems, and making the most secure setting default.<a class="footnote-ref" id="fnref:57" href="#fn:57"><sup>57</sup></a> <a href="/facts/Defense_in_depth_(computing)/4DWLv5xk">Defense in depth</a> and distributed privilege (requiring multiple authentications to execute an operation) also can make a system more difficult to hack.<a class="footnote-ref" id="fnref:58" href="#fn:58"><sup>58</sup></a> Giving employees and software the least amount of access necessary to fulfill their functions (<a href="/facts/Principle_of_least_privilege/sqsT4tln">principle of least privilege</a>) limits the likelihood and damage of breaches.<a class="footnote-ref" id="fnref:59" href="#fn:59"><sup>59</sup></a><a class="footnote-ref" id="fnref:60" href="#fn:60"><sup>60</sup></a> Several data breaches were enabled by reliance on <a href="/facts/Security_by_obscurity/GvF87wz1">security by obscurity</a>; the victims had put access credentials in publicly accessible files.<a class="footnote-ref" id="fnref:61" href="#fn:61"><sup>61</sup></a> Nevertheless, prioritizing ease of use is also important because otherwise users might circumvent the security systems.<a class="footnote-ref" id="fnref:62" href="#fn:62"><sup>62</sup></a> Rigorous <a href="/facts/Software_testing/VoXzG9Tb">software testing</a>, including <a href="/facts/Penetration_testing/Jd7lFd4z">penetration testing</a>, can reduce software vulnerabilities, and must be performed prior to each release even if the company is using a <a href="/facts/CI%2fCD/uGeanHaX">continuous integration/continuous deployment</a> model where new versions are constantly being rolled out.<a class="footnote-ref" id="fnref:63" href="#fn:63"><sup>63</sup></a> </p><p>The principle of least persistence<a class="footnote-ref" id="fnref:64" href="#fn:64"><sup>64</sup></a>—avoiding the collection of data that is not necessary and destruction of data that is no longer necessary—can mitigate the harm from breaches.<a class="footnote-ref" id="fnref:65" href="#fn:65"><sup>65</sup></a><a class="footnote-ref" id="fnref:66" href="#fn:66"><sup>66</sup></a><a class="footnote-ref" id="fnref:67" href="#fn:67"><sup>67</sup></a> The challenge is that destroying data can be more complex with modern database systems.<a class="footnote-ref" id="fnref:68" href="#fn:68"><sup>68</sup></a> </p> <h3>Response</h3> <p class="note">See also: <a href="/facts/Computer_emergency_response_team/WyfIx7Q5">Computer security incident response team</a></p> <p>A large number of data breaches are never detected.<a class="footnote-ref" id="fnref:69" href="#fn:69"><sup>69</sup></a> Of those that are, most breaches are detected by third parties;<a class="footnote-ref" id="fnref:70" href="#fn:70"><sup>70</sup></a><a class="footnote-ref" id="fnref:71" href="#fn:71"><sup>71</sup></a> others are detected by employees or automated systems.<a class="footnote-ref" id="fnref:72" href="#fn:72"><sup>72</sup></a> Responding to breaches is often the responsibility of a dedicated <a href="/facts/Computer_emergency_response_team/WyfIx7Q5">computer security incident response team</a>, often including technical experts, <a href="/facts/Public_relations/mQJUIuWQ">public relations</a>, and legal counsel.<a class="footnote-ref" id="fnref:73" href="#fn:73"><sup>73</sup></a><a class="footnote-ref" id="fnref:74" href="#fn:74"><sup>74</sup></a> Many companies do not have sufficient expertise in-house, and subcontract some of these roles;<a class="footnote-ref" id="fnref:75" href="#fn:75"><sup>75</sup></a> often, these outside resources are provided by the cyber insurance policy.<a class="footnote-ref" id="fnref:76" href="#fn:76"><sup>76</sup></a> After a data breach becomes known to the company, the next steps typically include confirming it occurred, notifying the response team, and attempting to contain the damage.<a class="footnote-ref" id="fnref:77" href="#fn:77"><sup>77</sup></a> </p><p>To stop exfiltration of data, common strategies include shutting down affected servers, taking them offline, <a href="/facts/Software_patch/sIHVBPls">patching</a> the vulnerability, and <a href="/facts/Software_build/uTz1koQy">rebuilding</a>.<a class="footnote-ref" id="fnref:78" href="#fn:78"><sup>78</sup></a> Once the exact way that the data was compromised is identified, there is typically only one or two technical vulnerabilities that need to be addressed in order to contain the breach and prevent it from reoccurring.<a class="footnote-ref" id="fnref:79" href="#fn:79"><sup>79</sup></a> A <a href="/facts/Penetration_test/Jd7lFd4z">penetration test</a> can then verify that the fix is working as expected.<a class="footnote-ref" id="fnref:80" href="#fn:80"><sup>80</sup></a> If <a href="/facts/Malware/5ee7TLFR">malware</a> is involved, the organization must investigate and close all infiltration and exfiltration vectors, as well as locate and remove all malware from its systems.<a class="footnote-ref" id="fnref:81" href="#fn:81"><sup>81</sup></a> If data was posted on the <a href="/facts/Dark_web/A40ffCpy">dark web</a>, companies may attempt to have it taken down.<a class="footnote-ref" id="fnref:82" href="#fn:82"><sup>82</sup></a> Containing the breach can compromise investigation, and some tactics (such as shutting down servers) can violate the company's contractual obligations.<a class="footnote-ref" id="fnref:83" href="#fn:83"><sup>83</sup></a> </p><p>Gathering data about the breach can facilitate later litigation or criminal prosecution,<a class="footnote-ref" id="fnref:84" href="#fn:84"><sup>84</sup></a> but only if the data is gathered according to legal standards and the <a href="/facts/Chain_of_custody/Rbe2focv">chain of custody</a> is maintained.<a class="footnote-ref" id="fnref:85" href="#fn:85"><sup>85</sup></a> Database forensics can narrow down the records involved, limiting the scope of the incident.<a class="footnote-ref" id="fnref:86" href="#fn:86"><sup>86</sup></a> Extensive investigation may be undertaken, which can be even more expensive than <a href="/facts/Litigation/gFeKr9ra">litigation</a>.<a class="footnote-ref" id="fnref:87" href="#fn:87"><sup>87</sup></a> In the United States, breaches may be investigated by government agencies such as the <a href="/facts/Office_for_Civil_Rights/XIxv7q8g">Office for Civil Rights</a>, the <a href="/facts/United_States_Department_of_Health_and_Human_Services/eS90vYmd">United States Department of Health and Human Services</a>, and the <a href="/facts/Federal_Trade_Commission/Hkz0PwF9">Federal Trade Commission</a> (FTC).<a class="footnote-ref" id="fnref:88" href="#fn:88"><sup>88</sup></a> Law enforcement agencies may investigate breaches<a class="footnote-ref" id="fnref:89" href="#fn:89"><sup>89</sup></a> although the hackers responsible are rarely caught.<a class="footnote-ref" id="fnref:90" href="#fn:90"><sup>90</sup></a> </p><p>Notifications are typically sent out as required by law.<a class="footnote-ref" id="fnref:91" href="#fn:91"><sup>91</sup></a> Many companies offer free <a href="/facts/Credit_monitoring/WeTsu8uo">credit monitoring</a> to people affected by a data breach, although only around 5 percent of those eligible take advantage of the service.<a class="footnote-ref" id="fnref:92" href="#fn:92"><sup>92</sup></a> Issuing new credit cards to consumers, although expensive, is an effective strategy to reduce the risk of <a href="/facts/Credit_card_fraud/Lg8lD8xJ">credit card fraud</a>.<a class="footnote-ref" id="fnref:93" href="#fn:93"><sup>93</sup></a> Companies try to restore trust in their business operations and take steps to prevent a breach from reoccurring.<a class="footnote-ref" id="fnref:94" href="#fn:94"><sup>94</sup></a> </p> <h2 id="consequences">Consequences</h2> <h3>For consumers</h3> <p>After a data breach, criminals make money by selling data, such as usernames, passwords, <a href="/facts/Social_media/kUIkfpIA">social media</a> or <a href="/facts/Loyalty_business_model/deMQ8RSK">customer loyalty</a> account information, <a href="/facts/Debit_card/A9C9sNeB">debit</a> and <a href="/facts/Credit_card/7pKSB5LD">credit card</a> numbers,<a class="footnote-ref" id="fnref:95" href="#fn:95"><sup>95</sup></a> and personal health information (see <a href="/facts/Medical_data_breach/2II9X7Lv">medical data breach</a>).<a class="footnote-ref" id="fnref:96" href="#fn:96"><sup>96</sup></a> Criminals often sell this data on the <a href="/facts/Dark_web/A40ffCpy">dark web</a>—parts of the internet where it is difficult to trace users and illicit activity is widespread—using platforms like <a href="/facts/.onion/oe9h7Mfq">.onion</a> or <a href="/facts/I2P/Yt6Deh4q">I2P</a>.<a class="footnote-ref" id="fnref:97" href="#fn:97"><sup>97</sup></a> Originating in the 2000s, the dark web, followed by untraceable <a href="/facts/Cryptocurrencies/Rg6JAS8y">cryptocurrencies</a> such as <a href="/facts/Bitcoin/UJvqfray">Bitcoin</a> in the 2010s, made it possible for criminals to sell data obtained in breaches with minimal risk of getting caught, facilitating an increase in hacking.<a class="footnote-ref" id="fnref:98" href="#fn:98"><sup>98</sup></a><a class="footnote-ref" id="fnref:99" href="#fn:99"><sup>99</sup></a> One popular darknet marketplace, <a href="/facts/Silk_Road_(marketplace)/YQD4n5aT">Silk Road</a>, was shut down in 2013 and its operators arrested, but several other marketplaces emerged in its place.<a class="footnote-ref" id="fnref:100" href="#fn:100"><sup>100</sup></a> <a href="/facts/Telegram_(software)/TqaAlHwN">Telegram</a> is also a popular forum for illegal sales of data.<a class="footnote-ref" id="fnref:101" href="#fn:101"><sup>101</sup></a> </p><p>This information may be used for a variety of purposes, such as <a href="/facts/Spamming/Qc9IL60W">spamming</a>, obtaining products with a victim's loyalty or payment information, <a href="/facts/Identity_theft/WeTNe9DG">identity theft</a>, <a href="/facts/Drug_fraud/YvTopxC8">prescription drug fraud</a>, or <a href="/facts/Insurance_fraud/Lev9uF3U">insurance fraud</a>.<a class="footnote-ref" id="fnref:102" href="#fn:102"><sup>102</sup></a> The threat of data breach or revealing information obtained in a data breach can be used for <a href="/facts/Extortion/tv3TraAp">extortion</a>.<a class="footnote-ref" id="fnref:103" href="#fn:103"><sup>103</sup></a> </p><p>Consumers may suffer various forms of tangible or intangible harm from the theft of their personal data, or not notice any harm.<a class="footnote-ref" id="fnref:104" href="#fn:104"><sup>104</sup></a> A significant portion of those affected by a data breach become victims of <a href="/facts/Identity_theft/WeTNe9DG">identity theft</a>.<a class="footnote-ref" id="fnref:105" href="#fn:105"><sup>105</sup></a> A person's identifying information often circulates on the dark web for years, causing an increased risk of identity theft regardless of remediation efforts.<a class="footnote-ref" id="fnref:106" href="#fn:106"><sup>106</sup></a><a class="footnote-ref" id="fnref:107" href="#fn:107"><sup>107</sup></a> Even if a customer does not end up footing the bill for <a href="/facts/Credit_card_fraud/Lg8lD8xJ">credit card fraud</a> or identity theft, they have to spend time resolving the situation.<a class="footnote-ref" id="fnref:108" href="#fn:108"><sup>108</sup></a><a class="footnote-ref" id="fnref:109" href="#fn:109"><sup>109</sup></a> Intangible harms include <a href="/facts/Doxxing/4BAAFeAk">doxxing</a> (publicly revealing someone's personal information), for example medication usage or personal photos.<a class="footnote-ref" id="fnref:110" href="#fn:110"><sup>110</sup></a> </p> <h3>For organizations</h3> <p>There is little empirical evidence of economic harm from breaches except the direct cost, although there is some evidence suggesting a temporary, short-term decline in <a href="/facts/Share_price/PlkFFTpT">stock price</a>.<a class="footnote-ref" id="fnref:111" href="#fn:111"><sup>111</sup></a> Other impacts on the company can range from lost business, reduced employee productivity due to systems being offline or personnel redirected to working on the breach,<a class="footnote-ref" id="fnref:112" href="#fn:112"><sup>112</sup></a> resignation or firing of senior executives,<a class="footnote-ref" id="fnref:113" href="#fn:113"><sup>113</sup></a> <a href="/facts/Reputational_damage/vmuNGvEU">reputational damage</a>,<a class="footnote-ref" id="fnref:114" href="#fn:114"><sup>114</sup></a><a class="footnote-ref" id="fnref:115" href="#fn:115"><sup>115</sup></a> and increasing the future cost of auditing or security.<a class="footnote-ref" id="fnref:116" href="#fn:116"><sup>116</sup></a> Consumer losses from a breach are usually a negative <a href="/facts/Externality/hGgw7gtT">externality</a> for the business.<a class="footnote-ref" id="fnref:117" href="#fn:117"><sup>117</sup></a> Some experts have argued that the evidence suggests there is not enough direct costs or reputational damage from data breaches to sufficiently <a href="/facts/Incentive/eWAy7odC">incentivize</a> their prevention.<a class="footnote-ref" id="fnref:118" href="#fn:118"><sup>118</sup></a><a class="footnote-ref" id="fnref:119" href="#fn:119"><sup>119</sup></a> </p><p>Estimating the cost of data breaches is difficult, both because not all breaches are reported and also because calculating the impact of breaches in financial terms is not straightforward. There are multiple ways of calculating the cost to businesses, especially when it comes to personnel time dedicated to dealing with the breach.<a class="footnote-ref" id="fnref:120" href="#fn:120"><sup>120</sup></a> Author Kevvie Fowler estimates that more than half the direct cost incurred by companies is in the form of litigation expenses and services provided to affected individuals, with the remaining cost split between notification and detection, including forensics and investigation. He argues that these costs are reduced if the organization has invested in security prior to the breach or has previous experience with breaches. The more <a href="/facts/Record_(computer_science)/1fvSgenB">data records</a> involved, the more expensive a breach typically will be.<a class="footnote-ref" id="fnref:121" href="#fn:121"><sup>121</sup></a> In 2016, researcher Sasha Romanosky estimated that while the mean breach cost around the targeted firm $5 million, this figure was inflated by a few highly expensive breaches, and the typical data breach was much less costly, around $200,000. Romanosky estimated the total annual cost to corporations in the United States to be around $10 billion.<a class="footnote-ref" id="fnref:122" href="#fn:122"><sup>122</sup></a> </p> <h2 id="laws">Laws</h2> <h3>Notification</h3> <p class="note">Main article: <a href="/facts/Data_breach_notification_laws/QF2IDEjX">Data breach notification laws</a></p> <p>The law regarding data breaches is often found in <a href="/facts/Privacy_law/MqQ3j0UU">legislation to protect privacy</a> more generally, and is dominated by provisions mandating notification when breaches occur.<a class="footnote-ref" id="fnref:123" href="#fn:123"><sup>123</sup></a> Laws differ greatly in how breaches are defined,<a class="footnote-ref" id="fnref:124" href="#fn:124"><sup>124</sup></a> what type of information is protected, the deadline for notification,<a class="footnote-ref" id="fnref:125" href="#fn:125"><sup>125</sup></a> and who has <a href="/facts/Standing_(law)/AN8mu6y0">standing</a> to sue if the law is violated.<a class="footnote-ref" id="fnref:126" href="#fn:126"><sup>126</sup></a> Notification laws increase <a href="/facts/Transparency_(behavior)/vbB9ombC">transparency</a> and provide a reputational incentive for companies to reduce breaches.<a class="footnote-ref" id="fnref:127" href="#fn:127"><sup>127</sup></a> The cost of notifying the breach can be high if many people were affected and is incurred regardless of the company's responsibility, so it can function like a <a href="/facts/Strict_liability/6aeC9IDb">strict liability</a> fine.<a class="footnote-ref" id="fnref:128" href="#fn:128"><sup>128</sup></a> </p><p>As of 2024, <i>Thomas on Data Breach</i> listed 62 <a href="/facts/United_Nations_member_states/rpx3f10b">United Nations member states</a> that are covered by data breach notification laws. Some other countries require breach notification in more general <a href="/facts/Information_privacy_law/EERtnLNp">data protection laws</a>.<a class="footnote-ref" id="fnref:129" href="#fn:129"><sup>129</sup></a> Shortly after the first reported data breach in April 2002, California passed <a href="/facts/California_Senate_Bill_1386_(2002)/s3cHMF6Q">a law requiring notification</a> when an individual's personal information was breached.<a class="footnote-ref" id="fnref:130" href="#fn:130"><sup>130</sup></a> In the United States, notification laws proliferated after the February 2005 ChoicePoint data breach, widely publicized in part because of the large number of people affected (more than 140,000) and also because of outrage that the company initially informed only affected people in California.<a class="footnote-ref" id="fnref:131" href="#fn:131"><sup>131</sup></a><a class="footnote-ref" id="fnref:132" href="#fn:132"><sup>132</sup></a> In 2018, the <a href="/facts/European_Union/6GYcR8qM">European Union</a>'s <a href="/facts/General_Data_Protection_Regulation/RMLY6ohr">General Data Protection Regulation</a> (GDPR) took effect. The GDPR requires notification within 72 hours, with very high fines possible for large companies not in compliance. This regulation also stimulated the tightening of data privacy laws elsewhere.<a class="footnote-ref" id="fnref:133" href="#fn:133"><sup>133</sup></a><a class="footnote-ref" id="fnref:134" href="#fn:134"><sup>134</sup></a> As of 2022, the only <a href="/facts/United_States_federal_law/qVcQjGCe">United States federal law</a> requiring notification for data breaches is limited to medical data regulated under <a href="/facts/HIPAA/b40VtyEC">HIPAA</a>, but all 50 states (since Alabama passed a law in 2018) have their own general data breach notification laws.<a class="footnote-ref" id="fnref:135" href="#fn:135"><sup>135</sup></a> </p> <h3>Security safeguards</h3> <p>Measures to protect data from a breach are typically absent from the law or vague.<a class="footnote-ref" id="fnref:136" href="#fn:136"><sup>136</sup></a> Filling this gap is standards required by <a href="/facts/Cyber_insurance/V93YVnMe">cyber insurance</a>, which is held by most large companies and functions as de factoregulation.<a class="footnote-ref" id="fnref:137" href="#fn:137"><sup>137</sup></a><a class="footnote-ref" id="fnref:138" href="#fn:138"><sup>138</sup></a> Of the laws that do exist, there are two main approaches—one that prescribes specific standards to follow, and the <a href="/facts/Reasonableness/8wC146cQ">reasonableness</a> approach.<a class="footnote-ref" id="fnref:139" href="#fn:139"><sup>139</sup></a> The former is rarely used due to a lack of flexibility and reluctance of legislators to arbitrate technical issues; with the latter approach, the law is vague but specific standards can emerge from <a href="/facts/Case_law/2xMz9eeA">case law</a>.<a class="footnote-ref" id="fnref:140" href="#fn:140"><sup>140</sup></a> Companies often prefer the standards approach for providing greater <a href="/facts/Legal_certainty/10k6tCvQ">legal certainty</a>, but they might check all the boxes without providing a secure product.<a class="footnote-ref" id="fnref:141" href="#fn:141"><sup>141</sup></a> An additional flaw is that the laws are poorly enforced, with penalties often much less than the cost of a breach, and many companies do not follow them.<a class="footnote-ref" id="fnref:142" href="#fn:142"><sup>142</sup></a> </p> <h3>Litigation</h3> <p>Many <a href="/facts/Class-action_lawsuit/VFeabe1R">class-action lawsuits</a>, <a href="/facts/Derivative_suit/al0EeqA3">derivative suits</a>, and other litigation have been brought after data breaches.<a class="footnote-ref" id="fnref:143" href="#fn:143"><sup>143</sup></a> They are often <a href="/facts/Settlement_(litigation)/IhjVTyJz">settled</a> regardless of the merits of the case due to the high cost of litigation.<a class="footnote-ref" id="fnref:144" href="#fn:144"><sup>144</sup></a><a class="footnote-ref" id="fnref:145" href="#fn:145"><sup>145</sup></a> Even if a settlement is paid, few affected consumers receive any money as it usually is only cents to a few dollars per victim.<a class="footnote-ref" id="fnref:146" href="#fn:146"><sup>146</sup></a><a class="footnote-ref" id="fnref:147" href="#fn:147"><sup>147</sup></a> Legal scholars <a href="/facts/Daniel_J._Solove/Gmcen0WC">Daniel J. Solove</a> and Woodrow Hartzog argue that "Litigation has increased the costs of data breaches but has accomplished little else."<a class="footnote-ref" id="fnref:148" href="#fn:148"><sup>148</sup></a> Plaintiffs often struggle to prove that they suffered harm from a data breach.<a class="footnote-ref" id="fnref:149" href="#fn:149"><sup>149</sup></a> The contribution of a company's actions to a data breach varies,<a class="footnote-ref" id="fnref:150" href="#fn:150"><sup>150</sup></a><a class="footnote-ref" id="fnref:151" href="#fn:151"><sup>151</sup></a> and likewise the liability for the damage resulting for data breaches is a contested matter. It is disputed what standard should be applied, whether it is strict liability, <a href="/facts/Negligence/0GMNBaIr">negligence</a>, or something else.<a class="footnote-ref" id="fnref:152" href="#fn:152"><sup>152</sup></a> </p> <h2 id="see-also">See also</h2> <ul><li><a href="/facts/Full_disclosure_(computer_security)/X4WTLAw0">Full disclosure (computer security)</a></li> <li><a href="/facts/Medical_data_breach/2II9X7Lv">Medical data breach</a></li> <li><a href="/facts/Surveillance_capitalism/0UfUXB4w">Surveillance capitalism</a></li> <li><a href="/facts/Data_breaches_in_India/4gSBH2M4">Data breaches in India</a></li></ul> <h2 id="sources">Sources</h2> <ul><li>Ablon, Lillian; Bogart, Andy (2017). <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf"><i>Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits</i></a> (PDF). Rand Corporation. <a href="/facts/ISBN_(identifier)/15AdSPa9">ISBN</a> 978-0-8330-9761-3.</li> <li>Crawley, Kim (2021). <a href="https://books.google.com/books?id=51U-EAAAQBAJ"><i>8 Steps to Better Security: A Simple Cyber Resilience Guide for Business</i></a>. John Wiley & Sons. <a href="/facts/ISBN_(identifier)/15AdSPa9">ISBN</a> 978-1-119-81124-4.</li> <li><a href="/facts/Neil_Daswani/uVmLPflX">Daswani, Neil</a>; Elbayadi, Moudy (2021). <a href="https://books.google.com/books?id=HtkHzgEACAAJ"><i>Big Breaches: Cybersecurity Lessons for Everyone</i></a>. Apress. <a href="/facts/ISBN_(identifier)/15AdSPa9">ISBN</a> 978-1-4842-6654-0.</li> <li>Davidoff, Sherri (2019). <i>Data Breaches: Crisis and Opportunity</i>. Addison-Wesley Professional. <a href="/facts/ISBN_(identifier)/15AdSPa9">ISBN</a> 978-0-13-450772-9.</li> <li>Fisher, William; Craft, R. Eugene; Ekstrom, Michael; Sexton, Julian; Sweetnam, John (2024). <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1800-28.pdf">Data Confidentiality: Identifying and Protecting Assets Against Data Breaches</a> (PDF) (Report). NIST Special Publications. <a href="/facts/National_Institute_of_Standards_and_Technology/gr9Fnh85">National Institute of Standards and Technology</a>.</li> <li>Fowler, Kevvie (2016). <a href="https://books.google.com/books?id=m5SZBgAAQBAJ"><i>Data Breach Preparation and Response: Breaches are Certain, Impact is Not</i></a>. Elsevier Science. <a href="/facts/ISBN_(identifier)/15AdSPa9">ISBN</a> 978-0-12-803451-4.</li> <li>Joerling, Jill (2010). <a href="https://heinonline.org/HOL/LandingPage?handle=hein.journals/wajlp32&div=16&id=&page=">"Data Breach Notification Laws: An Argument for a Comprehensive Federal Law to Protect Consumer Data"</a>. <i>Washington University Journal of Law and Policy</i>. 32: 467.</li> <li>Kaster, Sean D.; Ensign, Prescott C. (2023). <a href="https://doi.org/10.1002%2Ftie.22321">"Privatized espionage: NSO Group Technologies and its Pegasus spyware"</a>. <i>Thunderbird International Business Review</i>. 65 (3): 355–364. <a href="/facts/Doi_(identifier)/muM9Etpq">doi</a>:<a href="https://doi.org/10.1002%2Ftie.22321">10.1002/tie.22321</a>.</li> <li>Lenhard, Thomas H. (2022). <i>Data Security: Technical and Organizational Protection Measures against Data Loss and Computer Crime</i>. Springer Nature. <a href="/facts/ISBN_(identifier)/15AdSPa9">ISBN</a> 978-3-658-35494-7.</li> <li>Lesemann, Dana J. (2010). <a href="https://heinonline.org/HOL/LandingPage?handle=hein.journals/akrintel4&div=12&id=&page=">"One More unto the Breach: An Analysis of Legal, Technological, and Policy Issues Involving Data Breach Notification Statutes"</a>. <i>Akron Intellectual Property Journal</i>. 4: 203.</li> <li>Makridis, Christos A (2021). <a href="https://doi.org/10.1093%2Fcybsec%2Ftyab021">"Do data breaches damage reputation? Evidence from 45 companies between 2002 and 2018"</a>. <i>Journal of Cybersecurity</i>. 7 (1). <a href="/facts/Doi_(identifier)/muM9Etpq">doi</a>:<a href="https://doi.org/10.1093%2Fcybsec%2Ftyab021">10.1093/cybsec/tyab021</a>.</li> <li><a href="/facts/National_Academies_of_Sciences%2c_Engineering%2c_and_Medicine/AdYmBBGV">National Academies of Sciences, Engineering, and Medicine</a> (2016). "Forum on Cyber Resilience Workshop Series". <a href="https://nap.nationalacademies.org/catalog/23559/data-breach-aftermath-and-recovery-for-individuals-and-institutions-proceedings"><i>Data Breach Aftermath and Recovery for Individuals and Institutions: Proceedings of a Workshop</i></a>. National Academies Press. <a href="/facts/ISBN_(identifier)/15AdSPa9">ISBN</a> 978-0-309-44505-4.{{cite book}}: CS1 maint: multiple names: authors list (link)</li> <li>Ntantogian, Christoforos; Malliaros, Stefanos; Xenakis, Christos (2019). <a href="https://zenodo.org/record/2632724">"Evaluation of password hashing schemes in open source web platforms"</a>. <i>Computers & Security</i>. 84: 206–224. <a href="/facts/Doi_(identifier)/muM9Etpq">doi</a>:<a href="https://doi.org/10.1016%2Fj.cose.2019.03.011">10.1016/j.cose.2019.03.011</a>.</li> <li>Seaman, Jim (2020). <i>PCI DSS: An Integrated Data Security Standard Guide</i>. Apress. <a href="/facts/ISBN_(identifier)/15AdSPa9">ISBN</a> 978-1-4842-5808-8.</li> <li>Shukla, Samiksha; George, Jossy P.; Tiwari, Kapil; Kureethara, Joseph Varghese (2022). <i>Data Ethics and Challenges</i>. Springer Nature. <a href="/facts/ISBN_(identifier)/15AdSPa9">ISBN</a> 978-981-19-0752-4.</li> <li>Sloan, Robert H.; Warner, Richard (2019). <i>Why Don't We Defend Better?: Data Breaches, Risk Management, and Public Policy</i>. CRC Press. <a href="/facts/ISBN_(identifier)/15AdSPa9">ISBN</a> 978-1-351-12729-5.</li> <li><a href="/facts/Daniel_J._Solove/Gmcen0WC">Solove, Daniel J.</a>; Hartzog, Woodrow (2022). <a href="https://books.google.com/books?id=EenMzQEACAAJ"><i>Breached!: Why Data Security Law Fails and How to Improve it</i></a>. Oxford University Press. <a href="/facts/ISBN_(identifier)/15AdSPa9">ISBN</a> 978-0-19-094057-7.</li> <li>Talesh, Shauhin A. (2018). "Data Breach, Privacy, and Cyber Insurance: How Insurance Companies Act as "Compliance Managers" for Businesses". <i>Law & Social Inquiry</i>. 43 (2): 417–440. <a href="/facts/Doi_(identifier)/muM9Etpq">doi</a>:<a href="https://doi.org/10.1111%2Flsi.12303">10.1111/lsi.12303</a>.</li> <li>Thomas, Liisa M. (2023). <a href="https://static.legalsolutions.thomsonreuters.com/product_files/relateddocs/243610_20248_1038.pdf"><i>Thomas on Data Breach: A Practical Guide to Handling Data Breach Notifications Worldwide</i></a> (PDF). <a href="/facts/Thomson_Reuters/GPIlfqa2">Thomson Reuters</a>. <a href="/facts/ISBN_(identifier)/15AdSPa9">ISBN</a> 978-1-7319-5405-3.</li> <li>Tjoa, Simon; Gafić, Melisa; Kieseberg, Peter (2024). <i>Cyber Resilience Fundamentals</i>. Springer Nature. <a href="/facts/ISBN_(identifier)/15AdSPa9">ISBN</a> 978-3-031-52064-8.</li></ul> <h2 id="references">References</h2> <ol> <li id="fn:1"><p>Solove & Hartzog 2022, p. 5. - Solove, Daniel J.; Hartzog, Woodrow (2022). Breached!: Why Data Security Law Fails and How to Improve it. Oxford University Press. ISBN 978-0-19-094057-7. <a href="https://books.google.com/books?id=EenMzQEACAAJ" target="_blank">https://books.google.com/books?id=EenMzQEACAAJ</a> <a href="#fnref:1" class="footnote-back-ref">↩</a></p></li> <li id="fn:2"><p>Fowler 2016, p. 2. - Fowler, Kevvie (2016). Data Breach Preparation and Response: Breaches are Certain, Impact is Not. Elsevier Science. ISBN 978-0-12-803451-4. <a href="https://books.google.com/books?id=m5SZBgAAQBAJ" target="_blank">https://books.google.com/books?id=m5SZBgAAQBAJ</a> <a href="#fnref:2" class="footnote-back-ref">↩</a></p></li> <li id="fn:3"><p>Solove & Hartzog 2022, p. 5. - Solove, Daniel J.; Hartzog, Woodrow (2022). Breached!: Why Data Security Law Fails and How to Improve it. Oxford University Press. ISBN 978-0-19-094057-7. <a href="https://books.google.com/books?id=EenMzQEACAAJ" target="_blank">https://books.google.com/books?id=EenMzQEACAAJ</a> <a href="#fnref:3" class="footnote-back-ref">↩</a></p></li> <li id="fn:4"><p>Solove & Hartzog 2022, p. 41. - Solove, Daniel J.; Hartzog, Woodrow (2022). Breached!: Why Data Security Law Fails and How to Improve it. Oxford University Press. ISBN 978-0-19-094057-7. <a href="https://books.google.com/books?id=EenMzQEACAAJ" target="_blank">https://books.google.com/books?id=EenMzQEACAAJ</a> <a href="#fnref:4" class="footnote-back-ref">↩</a></p></li> <li id="fn:5"><p>Fowler 2016, p. 2. - Fowler, Kevvie (2016). Data Breach Preparation and Response: Breaches are Certain, Impact is Not. Elsevier Science. ISBN 978-0-12-803451-4. <a href="https://books.google.com/books?id=m5SZBgAAQBAJ" target="_blank">https://books.google.com/books?id=m5SZBgAAQBAJ</a> <a href="#fnref:5" class="footnote-back-ref">↩</a></p></li> <li id="fn:6"><p>Shukla et al. 2022, pp. 47–48. - Shukla, Samiksha; George, Jossy P.; Tiwari, Kapil; Kureethara, Joseph Varghese (2022). Data Ethics and Challenges. Springer Nature. ISBN 978-981-19-0752-4. <a href="#fnref:6" class="footnote-back-ref">↩</a></p></li> <li id="fn:7"><p>National Academies of Sciences, Engineering, and Medicine 2016, p. 18. - National Academies of Sciences, Engineering, and Medicine (2016). "Forum on Cyber Resilience Workshop Series". Data Breach Aftermath and Recovery for Individuals and Institutions: Proceedings of a Workshop. National Academies Press. ISBN 978-0-309-44505-4. <a href="https://nap.nationalacademies.org/catalog/23559/data-breach-aftermath-and-recovery-for-individuals-and-institutions-proceedings" target="_blank">https://nap.nationalacademies.org/catalog/23559/data-breach-aftermath-and-recovery-for-individuals-and-institutions-proceedings</a> <a href="#fnref:7" class="footnote-back-ref">↩</a></p></li> <li id="fn:8"><p>Solove & Hartzog 2022, p. 42. - Solove, Daniel J.; Hartzog, Woodrow (2022). Breached!: Why Data Security Law Fails and How to Improve it. Oxford University Press. ISBN 978-0-19-094057-7. <a href="https://books.google.com/books?id=EenMzQEACAAJ" target="_blank">https://books.google.com/books?id=EenMzQEACAAJ</a> <a href="#fnref:8" class="footnote-back-ref">↩</a></p></li> <li id="fn:9"><p>Fowler 2016, p. 45. - Fowler, Kevvie (2016). Data Breach Preparation and Response: Breaches are Certain, Impact is Not. Elsevier Science. ISBN 978-0-12-803451-4. <a href="https://books.google.com/books?id=m5SZBgAAQBAJ" target="_blank">https://books.google.com/books?id=m5SZBgAAQBAJ</a> <a href="#fnref:9" class="footnote-back-ref">↩</a></p></li> <li id="fn:10"><p>Joerling 2010, p. 468 fn 7. - Joerling, Jill (2010). "Data Breach Notification Laws: An Argument for a Comprehensive Federal Law to Protect Consumer Data". Washington University Journal of Law and Policy. 32: 467. <a href="https://heinonline.org/HOL/LandingPage?handle=hein.journals/wajlp32&div=16&id=&page=" target="_blank">https://heinonline.org/HOL/LandingPage?handle=hein.journals/wajlp32&div=16&id=&page=</a> <a href="#fnref:10" class="footnote-back-ref">↩</a></p></li> <li id="fn:11"><p>Lesemann 2010, p. 206. - Lesemann, Dana J. (2010). "One More unto the Breach: An Analysis of Legal, Technological, and Policy Issues Involving Data Breach Notification Statutes". Akron Intellectual Property Journal. 4: 203. <a href="https://heinonline.org/HOL/LandingPage?handle=hein.journals/akrintel4&div=12&id=&page=" target="_blank">https://heinonline.org/HOL/LandingPage?handle=hein.journals/akrintel4&div=12&id=&page=</a> <a href="#fnref:11" class="footnote-back-ref">↩</a></p></li> <li id="fn:12"><p>Solove & Hartzog 2022, p. 18. - Solove, Daniel J.; Hartzog, Woodrow (2022). Breached!: Why Data Security Law Fails and How to Improve it. Oxford University Press. ISBN 978-0-19-094057-7. <a href="https://books.google.com/books?id=EenMzQEACAAJ" target="_blank">https://books.google.com/books?id=EenMzQEACAAJ</a> <a href="#fnref:12" class="footnote-back-ref">↩</a></p></li> <li id="fn:13"><p>Solove & Hartzog 2022, p. 29. - Solove, Daniel J.; Hartzog, Woodrow (2022). Breached!: Why Data Security Law Fails and How to Improve it. Oxford University Press. ISBN 978-0-19-094057-7. <a href="https://books.google.com/books?id=EenMzQEACAAJ" target="_blank">https://books.google.com/books?id=EenMzQEACAAJ</a> <a href="#fnref:13" class="footnote-back-ref">↩</a></p></li> <li id="fn:14"><p>Solove & Hartzog 2022, pp. 17–18. - Solove, Daniel J.; Hartzog, Woodrow (2022). Breached!: Why Data Security Law Fails and How to Improve it. Oxford University Press. ISBN 978-0-19-094057-7. <a href="https://books.google.com/books?id=EenMzQEACAAJ" target="_blank">https://books.google.com/books?id=EenMzQEACAAJ</a> <a href="#fnref:14" class="footnote-back-ref">↩</a></p></li> <li id="fn:15"><p>National Academies of Sciences, Engineering, and Medicine 2016, p. 9. - National Academies of Sciences, Engineering, and Medicine (2016). "Forum on Cyber Resilience Workshop Series". Data Breach Aftermath and Recovery for Individuals and Institutions: Proceedings of a Workshop. National Academies Press. ISBN 978-0-309-44505-4. <a href="https://nap.nationalacademies.org/catalog/23559/data-breach-aftermath-and-recovery-for-individuals-and-institutions-proceedings" target="_blank">https://nap.nationalacademies.org/catalog/23559/data-breach-aftermath-and-recovery-for-individuals-and-institutions-proceedings</a> <a href="#fnref:15" class="footnote-back-ref">↩</a></p></li> <li id="fn:16"><p>Crawley 2021, p. 46. - Crawley, Kim (2021). 8 Steps to Better Security: A Simple Cyber Resilience Guide for Business. John Wiley & Sons. ISBN 978-1-119-81124-4. <a href="https://books.google.com/books?id=51U-EAAAQBAJ" target="_blank">https://books.google.com/books?id=51U-EAAAQBAJ</a> <a href="#fnref:16" class="footnote-back-ref">↩</a></p></li> <li id="fn:17"><p>Fowler 2016, pp. 7–8. - Fowler, Kevvie (2016). Data Breach Preparation and Response: Breaches are Certain, Impact is Not. Elsevier Science. ISBN 978-0-12-803451-4. <a href="https://books.google.com/books?id=m5SZBgAAQBAJ" target="_blank">https://books.google.com/books?id=m5SZBgAAQBAJ</a> <a href="#fnref:17" class="footnote-back-ref">↩</a></p></li> <li id="fn:18"><p>Fowler 2016, p. 13. - Fowler, Kevvie (2016). Data Breach Preparation and Response: Breaches are Certain, Impact is Not. Elsevier Science. ISBN 978-0-12-803451-4. <a href="https://books.google.com/books?id=m5SZBgAAQBAJ" target="_blank">https://books.google.com/books?id=m5SZBgAAQBAJ</a> <a href="#fnref:18" class="footnote-back-ref">↩</a></p></li> <li id="fn:19"><p>Fowler 2016, pp. 9–10. - Fowler, Kevvie (2016). Data Breach Preparation and Response: Breaches are Certain, Impact is Not. Elsevier Science. ISBN 978-0-12-803451-4. <a href="https://books.google.com/books?id=m5SZBgAAQBAJ" target="_blank">https://books.google.com/books?id=m5SZBgAAQBAJ</a> <a href="#fnref:19" class="footnote-back-ref">↩</a></p></li> <li id="fn:20"><p>Fowler 2016, pp. 10–11. - Fowler, Kevvie (2016). Data Breach Preparation and Response: Breaches are Certain, Impact is Not. Elsevier Science. ISBN 978-0-12-803451-4. <a href="https://books.google.com/books?id=m5SZBgAAQBAJ" target="_blank">https://books.google.com/books?id=m5SZBgAAQBAJ</a> <a href="#fnref:20" class="footnote-back-ref">↩</a></p></li> <li id="fn:21"><p>Kaster & Ensign 2023, p. 355. - Kaster, Sean D.; Ensign, Prescott C. (2023). "Privatized espionage: NSO Group Technologies and its Pegasus spyware". Thunderbird International Business Review. 65 (3): 355–364. doi:10.1002/tie.22321. <a href="https://doi.org/10.1002%2Ftie.22321" target="_blank">https://doi.org/10.1002%2Ftie.22321</a> <a href="#fnref:21" class="footnote-back-ref">↩</a></p></li> <li id="fn:22"><p>Ablon & Bogart 2017, p. 1. - Ablon, Lillian; Bogart, Andy (2017). Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits (PDF). Rand Corporation. ISBN 978-0-8330-9761-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf</a> <a href="#fnref:22" class="footnote-back-ref">↩</a></p></li> <li id="fn:23"><p>Ablon & Bogart 2017, p. 2. - Ablon, Lillian; Bogart, Andy (2017). Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits (PDF). Rand Corporation. ISBN 978-0-8330-9761-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf</a> <a href="#fnref:23" class="footnote-back-ref">↩</a></p></li> <li id="fn:24"><p>Daswani & Elbayadi 2021, p. 25. - Daswani, Neil; Elbayadi, Moudy (2021). Big Breaches: Cybersecurity Lessons for Everyone. Apress. ISBN 978-1-4842-6654-0. <a href="https://books.google.com/books?id=HtkHzgEACAAJ" target="_blank">https://books.google.com/books?id=HtkHzgEACAAJ</a> <a href="#fnref:24" class="footnote-back-ref">↩</a></p></li> <li id="fn:25"><p>Seaman 2020, pp. 47–48. - Seaman, Jim (2020). PCI DSS: An Integrated Data Security Standard Guide. Apress. ISBN 978-1-4842-5808-8. <a href="#fnref:25" class="footnote-back-ref">↩</a></p></li> <li id="fn:26"><p>Daswani & Elbayadi 2021, pp. 26–27. - Daswani, Neil; Elbayadi, Moudy (2021). Big Breaches: Cybersecurity Lessons for Everyone. Apress. ISBN 978-1-4842-6654-0. <a href="https://books.google.com/books?id=HtkHzgEACAAJ" target="_blank">https://books.google.com/books?id=HtkHzgEACAAJ</a> <a href="#fnref:26" class="footnote-back-ref">↩</a></p></li> <li id="fn:27"><p>Daswani & Elbayadi 2021, p. 25. - Daswani, Neil; Elbayadi, Moudy (2021). Big Breaches: Cybersecurity Lessons for Everyone. Apress. ISBN 978-1-4842-6654-0. <a href="https://books.google.com/books?id=HtkHzgEACAAJ" target="_blank">https://books.google.com/books?id=HtkHzgEACAAJ</a> <a href="#fnref:27" class="footnote-back-ref">↩</a></p></li> <li id="fn:28"><p>Sloan & Warner 2019, pp. 104–105. - Sloan, Robert H.; Warner, Richard (2019). Why Don't We Defend Better?: Data Breaches, Risk Management, and Public Policy. CRC Press. ISBN 978-1-351-12729-5. <a href="#fnref:28" class="footnote-back-ref">↩</a></p></li> <li id="fn:29"><p>Ablon & Bogart 2017, p. 2. - Ablon, Lillian; Bogart, Andy (2017). Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits (PDF). Rand Corporation. ISBN 978-0-8330-9761-3. <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf" target="_blank">https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf</a> <a href="#fnref:29" class="footnote-back-ref">↩</a></p></li> <li id="fn:30"><p>Daswani & Elbayadi 2021, p. 19–22. - Daswani, Neil; Elbayadi, Moudy (2021). Big Breaches: Cybersecurity Lessons for Everyone. Apress. ISBN 978-1-4842-6654-0. <a href="https://books.google.com/books?id=HtkHzgEACAAJ" target="_blank">https://books.google.com/books?id=HtkHzgEACAAJ</a> <a href="#fnref:30" class="footnote-back-ref">↩</a></p></li> <li id="fn:31"><p>Daswani & Elbayadi 2021, p. 15. - Daswani, Neil; Elbayadi, Moudy (2021). Big Breaches: Cybersecurity Lessons for Everyone. Apress. ISBN 978-1-4842-6654-0. <a href="https://books.google.com/books?id=HtkHzgEACAAJ" target="_blank">https://books.google.com/books?id=HtkHzgEACAAJ</a> <a href="#fnref:31" class="footnote-back-ref">↩</a></p></li> <li id="fn:32"><p>Ntantogian, Malliaros & Xenakis 2019. - Ntantogian, Christoforos; Malliaros, Stefanos; Xenakis, Christos (2019). "Evaluation of password hashing schemes in open source web platforms". Computers & Security. 84: 206–224. doi:10.1016/j.cose.2019.03.011. <a href="https://zenodo.org/record/2632724" target="_blank">https://zenodo.org/record/2632724</a> <a href="#fnref:32" class="footnote-back-ref">↩</a></p></li> <li id="fn:33"><p>Daswani & Elbayadi 2021, pp. 22–23. - Daswani, Neil; Elbayadi, Moudy (2021). Big Breaches: Cybersecurity Lessons for Everyone. Apress. ISBN 978-1-4842-6654-0. <a href="https://books.google.com/books?id=HtkHzgEACAAJ" target="_blank">https://books.google.com/books?id=HtkHzgEACAAJ</a> <a href="#fnref:33" class="footnote-back-ref">↩</a></p></li> <li id="fn:34"><p>Fowler 2016, pp. 19–20. - Fowler, Kevvie (2016). Data Breach Preparation and Response: Breaches are Certain, Impact is Not. Elsevier Science. ISBN 978-0-12-803451-4. <a href="https://books.google.com/books?id=m5SZBgAAQBAJ" target="_blank">https://books.google.com/books?id=m5SZBgAAQBAJ</a> <a href="#fnref:34" class="footnote-back-ref">↩</a></p></li> <li id="fn:35"><p>Daswani & Elbayadi 2021, pp. 22–23. - Daswani, Neil; Elbayadi, Moudy (2021). Big Breaches: Cybersecurity Lessons for Everyone. Apress. ISBN 978-1-4842-6654-0. <a href="https://books.google.com/books?id=HtkHzgEACAAJ" target="_blank">https://books.google.com/books?id=HtkHzgEACAAJ</a> <a href="#fnref:35" class="footnote-back-ref">↩</a></p></li> <li id="fn:36"><p>Fowler 2016, pp. 19–20. - Fowler, Kevvie (2016). Data Breach Preparation and Response: Breaches are Certain, Impact is Not. Elsevier Science. ISBN 978-0-12-803451-4. <a href="https://books.google.com/books?id=m5SZBgAAQBAJ" target="_blank">https://books.google.com/books?id=m5SZBgAAQBAJ</a> <a href="#fnref:36" class="footnote-back-ref">↩</a></p></li> <li id="fn:37"><p>Sloan & Warner 2019, p. 94. - Sloan, Robert H.; Warner, Richard (2019). Why Don't We Defend Better?: Data Breaches, Risk Management, and Public Policy. CRC Press. ISBN 978-1-351-12729-5. <a href="#fnref:37" class="footnote-back-ref">↩</a></p></li> <li id="fn:38"><p>Makridis 2021, p. 3. - Makridis, Christos A (2021). "Do data breaches damage reputation? Evidence from 45 companies between 2002 and 2018". Journal of Cybersecurity. 7 (1). doi:10.1093/cybsec/tyab021. <a href="https://doi.org/10.1093%2Fcybsec%2Ftyab021" target="_blank">https://doi.org/10.1093%2Fcybsec%2Ftyab021</a> <a href="#fnref:38" class="footnote-back-ref">↩</a></p></li> <li id="fn:39"><p>Sloan & Warner 2019, p. 94. - Sloan, Robert H.; Warner, Richard (2019). Why Don't We Defend Better?: Data Breaches, Risk Management, and Public Policy. CRC Press. ISBN 978-1-351-12729-5. <a href="#fnref:39" class="footnote-back-ref">↩</a></p></li> <li id="fn:40"><p>Daswani & Elbayadi 2021, pp. 16–19. - Daswani, Neil; Elbayadi, Moudy (2021). Big Breaches: Cybersecurity Lessons for Everyone. Apress. ISBN 978-1-4842-6654-0. <a href="https://books.google.com/books?id=HtkHzgEACAAJ" target="_blank">https://books.google.com/books?id=HtkHzgEACAAJ</a> <a href="#fnref:40" class="footnote-back-ref">↩</a></p></li> <li id="fn:41"><p>Sloan & Warner 2019, pp. 106–107. - Sloan, Robert H.; Warner, Richard (2019). Why Don't We Defend Better?: Data Breaches, Risk Management, and Public Policy. CRC Press. ISBN 978-1-351-12729-5. <a href="#fnref:41" class="footnote-back-ref">↩</a></p></li> <li id="fn:42"><p>Daswani & Elbayadi 2021, p. 28. - Daswani, Neil; Elbayadi, Moudy (2021). Big Breaches: Cybersecurity Lessons for Everyone. Apress. ISBN 978-1-4842-6654-0. <a href="https://books.google.com/books?id=HtkHzgEACAAJ" target="_blank">https://books.google.com/books?id=HtkHzgEACAAJ</a> <a href="#fnref:42" class="footnote-back-ref">↩</a></p></li> <li id="fn:43"><p>Fowler 2016, p. 19. - Fowler, Kevvie (2016). Data Breach Preparation and Response: Breaches are Certain, Impact is Not. Elsevier Science. ISBN 978-0-12-803451-4. <a href="https://books.google.com/books?id=m5SZBgAAQBAJ" target="_blank">https://books.google.com/books?id=m5SZBgAAQBAJ</a> <a href="#fnref:43" class="footnote-back-ref">↩</a></p></li> <li id="fn:44"><p>Fowler 2016, pp. 18–19. - Fowler, Kevvie (2016). Data Breach Preparation and Response: Breaches are Certain, Impact is Not. Elsevier Science. ISBN 978-0-12-803451-4. <a href="https://books.google.com/books?id=m5SZBgAAQBAJ" target="_blank">https://books.google.com/books?id=m5SZBgAAQBAJ</a> <a href="#fnref:44" class="footnote-back-ref">↩</a></p></li> <li id="fn:45"><p>Daswani & Elbayadi 2021, pp. 31–32. - Daswani, Neil; Elbayadi, Moudy (2021). Big Breaches: Cybersecurity Lessons for Everyone. Apress. ISBN 978-1-4842-6654-0. <a href="https://books.google.com/books?id=HtkHzgEACAAJ" target="_blank">https://books.google.com/books?id=HtkHzgEACAAJ</a> <a href="#fnref:45" class="footnote-back-ref">↩</a></p></li> <li id="fn:46"><p>Solove & Hartzog 2022, pp. 69–70. - Solove, Daniel J.; Hartzog, Woodrow (2022). Breached!: Why Data Security Law Fails and How to Improve it. Oxford University Press. ISBN 978-0-19-094057-7. <a href="https://books.google.com/books?id=EenMzQEACAAJ" target="_blank">https://books.google.com/books?id=EenMzQEACAAJ</a> <a href="#fnref:46" class="footnote-back-ref">↩</a></p></li> <li id="fn:47"><p>Daswani & Elbayadi 2021, pp. 7, 9–10. - Daswani, Neil; Elbayadi, Moudy (2021). Big Breaches: Cybersecurity Lessons for Everyone. Apress. ISBN 978-1-4842-6654-0. <a href="https://books.google.com/books?id=HtkHzgEACAAJ" target="_blank">https://books.google.com/books?id=HtkHzgEACAAJ</a> <a href="#fnref:47" class="footnote-back-ref">↩</a></p></li> <li id="fn:48"><p>Daswani & Elbayadi 2021, pp. 200–201. - Daswani, Neil; Elbayadi, Moudy (2021). Big Breaches: Cybersecurity Lessons for Everyone. Apress. ISBN 978-1-4842-6654-0. <a href="https://books.google.com/books?id=HtkHzgEACAAJ" target="_blank">https://books.google.com/books?id=HtkHzgEACAAJ</a> <a href="#fnref:48" class="footnote-back-ref">↩</a></p></li> <li id="fn:49"><p>Daswani & Elbayadi 2021, pp. 203–204. - Daswani, Neil; Elbayadi, Moudy (2021). Big Breaches: Cybersecurity Lessons for Everyone. Apress. ISBN 978-1-4842-6654-0. <a href="https://books.google.com/books?id=HtkHzgEACAAJ" target="_blank">https://books.google.com/books?id=HtkHzgEACAAJ</a> <a href="#fnref:49" class="footnote-back-ref">↩</a></p></li> <li id="fn:50"><p>Daswani & Elbayadi 2021, p. 205. - Daswani, Neil; Elbayadi, Moudy (2021). Big Breaches: Cybersecurity Lessons for Everyone. Apress. ISBN 978-1-4842-6654-0. <a href="https://books.google.com/books?id=HtkHzgEACAAJ" target="_blank">https://books.google.com/books?id=HtkHzgEACAAJ</a> <a href="#fnref:50" class="footnote-back-ref">↩</a></p></li> <li id="fn:51"><p>Fowler 2016, p. 45. - Fowler, Kevvie (2016). Data Breach Preparation and Response: Breaches are Certain, Impact is Not. Elsevier Science. ISBN 978-0-12-803451-4. <a href="https://books.google.com/books?id=m5SZBgAAQBAJ" target="_blank">https://books.google.com/books?id=m5SZBgAAQBAJ</a> <a href="#fnref:51" class="footnote-back-ref">↩</a></p></li> <li id="fn:52"><p>Daswani & Elbayadi 2021, pp. 206–207. - Daswani, Neil; Elbayadi, Moudy (2021). Big Breaches: Cybersecurity Lessons for Everyone. Apress. ISBN 978-1-4842-6654-0. <a href="https://books.google.com/books?id=HtkHzgEACAAJ" target="_blank">https://books.google.com/books?id=HtkHzgEACAAJ</a> <a href="#fnref:52" class="footnote-back-ref">↩</a></p></li> <li id="fn:53"><p>Fisher et al. 2024, Title page. - Fisher, William; Craft, R. Eugene; Ekstrom, Michael; Sexton, Julian; Sweetnam, John (2024). Data Confidentiality: Identifying and Protecting Assets Against Data Breaches (PDF) (Report). NIST Special Publications. National Institute of Standards and Technology. <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1800-28.pdf" target="_blank">https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1800-28.pdf</a> <a href="#fnref:53" class="footnote-back-ref">↩</a></p></li> <li id="fn:54"><p>Fisher et al. 2024, p. 2. - Fisher, William; Craft, R. Eugene; Ekstrom, Michael; Sexton, Julian; Sweetnam, John (2024). Data Confidentiality: Identifying and Protecting Assets Against Data Breaches (PDF) (Report). NIST Special Publications. National Institute of Standards and Technology. <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1800-28.pdf" target="_blank">https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1800-28.pdf</a> <a href="#fnref:54" class="footnote-back-ref">↩</a></p></li> <li id="fn:55"><p>Fowler 2016, p. 210. - Fowler, Kevvie (2016). Data Breach Preparation and Response: Breaches are Certain, Impact is Not. Elsevier Science. ISBN 978-0-12-803451-4. <a href="https://books.google.com/books?id=m5SZBgAAQBAJ" target="_blank">https://books.google.com/books?id=m5SZBgAAQBAJ</a> <a href="#fnref:55" class="footnote-back-ref">↩</a></p></li> <li id="fn:56"><p>Daswani & Elbayadi 2021, p. 217. - Daswani, Neil; Elbayadi, Moudy (2021). Big Breaches: Cybersecurity Lessons for Everyone. Apress. ISBN 978-1-4842-6654-0. <a href="https://books.google.com/books?id=HtkHzgEACAAJ" target="_blank">https://books.google.com/books?id=HtkHzgEACAAJ</a> <a href="#fnref:56" class="footnote-back-ref">↩</a></p></li> <li id="fn:57"><p>Daswani & Elbayadi 2021, pp. 215–216. - Daswani, Neil; Elbayadi, Moudy (2021). Big Breaches: Cybersecurity Lessons for Everyone. Apress. ISBN 978-1-4842-6654-0. <a href="https://books.google.com/books?id=HtkHzgEACAAJ" target="_blank">https://books.google.com/books?id=HtkHzgEACAAJ</a> <a href="#fnref:57" class="footnote-back-ref">↩</a></p></li> <li id="fn:58"><p>Tjoa et al. 2024, p. 14. - Tjoa, Simon; Gafić, Melisa; Kieseberg, Peter (2024). Cyber Resilience Fundamentals. Springer Nature. ISBN 978-3-031-52064-8. <a href="#fnref:58" class="footnote-back-ref">↩</a></p></li> <li id="fn:59"><p>Daswani & Elbayadi 2021, p. 217. - Daswani, Neil; Elbayadi, Moudy (2021). Big Breaches: Cybersecurity Lessons for Everyone. Apress. ISBN 978-1-4842-6654-0. <a href="https://books.google.com/books?id=HtkHzgEACAAJ" target="_blank">https://books.google.com/books?id=HtkHzgEACAAJ</a> <a href="#fnref:59" class="footnote-back-ref">↩</a></p></li> <li id="fn:60"><p>Lenhard 2022, p. 53. - Lenhard, Thomas H. (2022). Data Security: Technical and Organizational Protection Measures against Data Loss and Computer Crime. Springer Nature. ISBN 978-3-658-35494-7. <a href="#fnref:60" class="footnote-back-ref">↩</a></p></li> <li id="fn:61"><p>Daswani & Elbayadi 2021, p. 218. - Daswani, Neil; Elbayadi, Moudy (2021). Big Breaches: Cybersecurity Lessons for Everyone. Apress. ISBN 978-1-4842-6654-0. <a href="https://books.google.com/books?id=HtkHzgEACAAJ" target="_blank">https://books.google.com/books?id=HtkHzgEACAAJ</a> <a href="#fnref:61" class="footnote-back-ref">↩</a></p></li> <li id="fn:62"><p>Daswani & Elbayadi 2021, pp. 218–219. - Daswani, Neil; Elbayadi, Moudy (2021). Big Breaches: Cybersecurity Lessons for Everyone. Apress. ISBN 978-1-4842-6654-0. <a href="https://books.google.com/books?id=HtkHzgEACAAJ" target="_blank">https://books.google.com/books?id=HtkHzgEACAAJ</a> <a href="#fnref:62" class="footnote-back-ref">↩</a></p></li> <li id="fn:63"><p>Daswani & Elbayadi 2021, pp. 314–315. - Daswani, Neil; Elbayadi, Moudy (2021). Big Breaches: Cybersecurity Lessons for Everyone. Apress. ISBN 978-1-4842-6654-0. <a href="https://books.google.com/books?id=HtkHzgEACAAJ" target="_blank">https://books.google.com/books?id=HtkHzgEACAAJ</a> <a href="#fnref:63" class="footnote-back-ref">↩</a></p></li> <li id="fn:64"><p>Tjoa et al. 2024, p. 68. - Tjoa, Simon; Gafić, Melisa; Kieseberg, Peter (2024). Cyber Resilience Fundamentals. Springer Nature. ISBN 978-3-031-52064-8. <a href="#fnref:64" class="footnote-back-ref">↩</a></p></li> <li id="fn:65"><p>Lenhard 2022, p. 60. - Lenhard, Thomas H. (2022). Data Security: Technical and Organizational Protection Measures against Data Loss and Computer Crime. Springer Nature. ISBN 978-3-658-35494-7. <a href="#fnref:65" class="footnote-back-ref">↩</a></p></li> <li id="fn:66"><p>Fowler 2016, p. 184. - Fowler, Kevvie (2016). Data Breach Preparation and Response: Breaches are Certain, Impact is Not. Elsevier Science. ISBN 978-0-12-803451-4. <a href="https://books.google.com/books?id=m5SZBgAAQBAJ" target="_blank">https://books.google.com/books?id=m5SZBgAAQBAJ</a> <a href="#fnref:66" class="footnote-back-ref">↩</a></p></li> <li id="fn:67"><p>Solove & Hartzog 2022, p. 146. - Solove, Daniel J.; Hartzog, Woodrow (2022). Breached!: Why Data Security Law Fails and How to Improve it. Oxford University Press. ISBN 978-0-19-094057-7. <a href="https://books.google.com/books?id=EenMzQEACAAJ" target="_blank">https://books.google.com/books?id=EenMzQEACAAJ</a> <a href="#fnref:67" class="footnote-back-ref">↩</a></p></li> <li id="fn:68"><p>Tjoa et al. 2024, p. 69. - Tjoa, Simon; Gafić, Melisa; Kieseberg, Peter (2024). Cyber Resilience Fundamentals. Springer Nature. ISBN 978-3-031-52064-8. <a href="#fnref:68" class="footnote-back-ref">↩</a></p></li> <li id="fn:69"><p>Crawley 2021, p. 39. - Crawley, Kim (2021). 8 Steps to Better Security: A Simple Cyber Resilience Guide for Business. John Wiley & Sons. ISBN 978-1-119-81124-4. <a href="https://books.google.com/books?id=51U-EAAAQBAJ" target="_blank">https://books.google.com/books?id=51U-EAAAQBAJ</a> <a href="#fnref:69" class="footnote-back-ref">↩</a></p></li> <li id="fn:70"><p>Fowler 2016, p. 64. - Fowler, Kevvie (2016). Data Breach Preparation and Response: Breaches are Certain, Impact is Not. Elsevier Science. ISBN 978-0-12-803451-4. <a href="https://books.google.com/books?id=m5SZBgAAQBAJ" target="_blank">https://books.google.com/books?id=m5SZBgAAQBAJ</a> <a href="#fnref:70" class="footnote-back-ref">↩</a></p></li> <li id="fn:71"><p>National Academies of Sciences, Engineering, and Medicine 2016, p. 25. - National Academies of Sciences, Engineering, and Medicine (2016). "Forum on Cyber Resilience Workshop Series". Data Breach Aftermath and Recovery for Individuals and Institutions: Proceedings of a Workshop. National Academies Press. ISBN 978-0-309-44505-4. <a href="https://nap.nationalacademies.org/catalog/23559/data-breach-aftermath-and-recovery-for-individuals-and-institutions-proceedings" target="_blank">https://nap.nationalacademies.org/catalog/23559/data-breach-aftermath-and-recovery-for-individuals-and-institutions-proceedings</a> <a href="#fnref:71" class="footnote-back-ref">↩</a></p></li> <li id="fn:72"><p>Fowler 2016, p. 4. - Fowler, Kevvie (2016). Data Breach Preparation and Response: Breaches are Certain, Impact is Not. Elsevier Science. ISBN 978-0-12-803451-4. <a href="https://books.google.com/books?id=m5SZBgAAQBAJ" target="_blank">https://books.google.com/books?id=m5SZBgAAQBAJ</a> <a href="#fnref:72" class="footnote-back-ref">↩</a></p></li> <li id="fn:73"><p>Crawley 2021, p. 97. - Crawley, Kim (2021). 8 Steps to Better Security: A Simple Cyber Resilience Guide for Business. John Wiley & Sons. ISBN 978-1-119-81124-4. <a href="https://books.google.com/books?id=51U-EAAAQBAJ" target="_blank">https://books.google.com/books?id=51U-EAAAQBAJ</a> <a href="#fnref:73" class="footnote-back-ref">↩</a></p></li> <li id="fn:74"><p>Fowler 2016, pp. 5, 32. - Fowler, Kevvie (2016). Data Breach Preparation and Response: Breaches are Certain, Impact is Not. Elsevier Science. ISBN 978-0-12-803451-4. <a href="https://books.google.com/books?id=m5SZBgAAQBAJ" target="_blank">https://books.google.com/books?id=m5SZBgAAQBAJ</a> <a href="#fnref:74" class="footnote-back-ref">↩</a></p></li> <li id="fn:75"><p>Fowler 2016, p. 86. - Fowler, Kevvie (2016). Data Breach Preparation and Response: Breaches are Certain, Impact is Not. Elsevier Science. ISBN 978-0-12-803451-4. <a href="https://books.google.com/books?id=m5SZBgAAQBAJ" target="_blank">https://books.google.com/books?id=m5SZBgAAQBAJ</a> <a href="#fnref:75" class="footnote-back-ref">↩</a></p></li> <li id="fn:76"><p>Fowler 2016, p. 94. - Fowler, Kevvie (2016). Data Breach Preparation and Response: Breaches are Certain, Impact is Not. Elsevier Science. ISBN 978-0-12-803451-4. <a href="https://books.google.com/books?id=m5SZBgAAQBAJ" target="_blank">https://books.google.com/books?id=m5SZBgAAQBAJ</a> <a href="#fnref:76" class="footnote-back-ref">↩</a></p></li> <li id="fn:77"><p>Fowler 2016, pp. 4–5. - Fowler, Kevvie (2016). Data Breach Preparation and Response: Breaches are Certain, Impact is Not. Elsevier Science. ISBN 978-0-12-803451-4. <a href="https://books.google.com/books?id=m5SZBgAAQBAJ" target="_blank">https://books.google.com/books?id=m5SZBgAAQBAJ</a> <a href="#fnref:77" class="footnote-back-ref">↩</a></p></li> <li id="fn:78"><p>Fowler 2016, pp. 120–122. - Fowler, Kevvie (2016). Data Breach Preparation and Response: Breaches are Certain, Impact is Not. Elsevier Science. ISBN 978-0-12-803451-4. <a href="https://books.google.com/books?id=m5SZBgAAQBAJ" target="_blank">https://books.google.com/books?id=m5SZBgAAQBAJ</a> <a href="#fnref:78" class="footnote-back-ref">↩</a></p></li> <li id="fn:79"><p>Fowler 2016, p. 115. - Fowler, Kevvie (2016). Data Breach Preparation and Response: Breaches are Certain, Impact is Not. Elsevier Science. ISBN 978-0-12-803451-4. <a href="https://books.google.com/books?id=m5SZBgAAQBAJ" target="_blank">https://books.google.com/books?id=m5SZBgAAQBAJ</a> <a href="#fnref:79" class="footnote-back-ref">↩</a></p></li> <li id="fn:80"><p>Fowler 2016, p. 116. - Fowler, Kevvie (2016). Data Breach Preparation and Response: Breaches are Certain, Impact is Not. Elsevier Science. ISBN 978-0-12-803451-4. <a href="https://books.google.com/books?id=m5SZBgAAQBAJ" target="_blank">https://books.google.com/books?id=m5SZBgAAQBAJ</a> <a href="#fnref:80" class="footnote-back-ref">↩</a></p></li> <li id="fn:81"><p>Fowler 2016, pp. 117–118. - Fowler, Kevvie (2016). Data Breach Preparation and Response: Breaches are Certain, Impact is Not. Elsevier Science. ISBN 978-0-12-803451-4. <a href="https://books.google.com/books?id=m5SZBgAAQBAJ" target="_blank">https://books.google.com/books?id=m5SZBgAAQBAJ</a> <a href="#fnref:81" class="footnote-back-ref">↩</a></p></li> <li id="fn:82"><p>Fowler 2016, p. 119. - Fowler, Kevvie (2016). Data Breach Preparation and Response: Breaches are Certain, Impact is Not. Elsevier Science. ISBN 978-0-12-803451-4. <a href="https://books.google.com/books?id=m5SZBgAAQBAJ" target="_blank">https://books.google.com/books?id=m5SZBgAAQBAJ</a> <a href="#fnref:82" class="footnote-back-ref">↩</a></p></li> <li id="fn:83"><p>Fowler 2016, p. 124. - Fowler, Kevvie (2016). Data Breach Preparation and Response: Breaches are Certain, Impact is Not. Elsevier Science. ISBN 978-0-12-803451-4. <a href="https://books.google.com/books?id=m5SZBgAAQBAJ" target="_blank">https://books.google.com/books?id=m5SZBgAAQBAJ</a> <a href="#fnref:83" class="footnote-back-ref">↩</a></p></li> <li id="fn:84"><p>Fowler 2016, pp. 81–82. - Fowler, Kevvie (2016). Data Breach Preparation and Response: Breaches are Certain, Impact is Not. Elsevier Science. ISBN 978-0-12-803451-4. <a href="https://books.google.com/books?id=m5SZBgAAQBAJ" target="_blank">https://books.google.com/books?id=m5SZBgAAQBAJ</a> <a href="#fnref:84" class="footnote-back-ref">↩</a></p></li> <li id="fn:85"><p>Fowler 2016, p. 83. - Fowler, Kevvie (2016). Data Breach Preparation and Response: Breaches are Certain, Impact is Not. Elsevier Science. ISBN 978-0-12-803451-4. <a href="https://books.google.com/books?id=m5SZBgAAQBAJ" target="_blank">https://books.google.com/books?id=m5SZBgAAQBAJ</a> <a href="#fnref:85" class="footnote-back-ref">↩</a></p></li> <li id="fn:86"><p>Fowler 2016, p. 128. - Fowler, Kevvie (2016). Data Breach Preparation and Response: Breaches are Certain, Impact is Not. Elsevier Science. ISBN 978-0-12-803451-4. <a href="https://books.google.com/books?id=m5SZBgAAQBAJ" target="_blank">https://books.google.com/books?id=m5SZBgAAQBAJ</a> <a href="#fnref:86" class="footnote-back-ref">↩</a></p></li> <li id="fn:87"><p>National Academies of Sciences, Engineering, and Medicine 2016, p. 25. - National Academies of Sciences, Engineering, and Medicine (2016). "Forum on Cyber Resilience Workshop Series". Data Breach Aftermath and Recovery for Individuals and Institutions: Proceedings of a Workshop. National Academies Press. ISBN 978-0-309-44505-4. <a href="https://nap.nationalacademies.org/catalog/23559/data-breach-aftermath-and-recovery-for-individuals-and-institutions-proceedings" target="_blank">https://nap.nationalacademies.org/catalog/23559/data-breach-aftermath-and-recovery-for-individuals-and-institutions-proceedings</a> <a href="#fnref:87" class="footnote-back-ref">↩</a></p></li> <li id="fn:88"><p>National Academies of Sciences, Engineering, and Medicine 2016, p. 22. - National Academies of Sciences, Engineering, and Medicine (2016). "Forum on Cyber Resilience Workshop Series". Data Breach Aftermath and Recovery for Individuals and Institutions: Proceedings of a Workshop. National Academies Press. ISBN 978-0-309-44505-4. <a href="https://nap.nationalacademies.org/catalog/23559/data-breach-aftermath-and-recovery-for-individuals-and-institutions-proceedings" target="_blank">https://nap.nationalacademies.org/catalog/23559/data-breach-aftermath-and-recovery-for-individuals-and-institutions-proceedings</a> <a href="#fnref:88" class="footnote-back-ref">↩</a></p></li> <li id="fn:89"><p>Fowler 2016, p. 44. - Fowler, Kevvie (2016). Data Breach Preparation and Response: Breaches are Certain, Impact is Not. Elsevier Science. ISBN 978-0-12-803451-4. <a href="https://books.google.com/books?id=m5SZBgAAQBAJ" target="_blank">https://books.google.com/books?id=m5SZBgAAQBAJ</a> <a href="#fnref:89" class="footnote-back-ref">↩</a></p></li> <li id="fn:90"><p>Solove & Hartzog 2022, p. 58. - Solove, Daniel J.; Hartzog, Woodrow (2022). Breached!: Why Data Security Law Fails and How to Improve it. Oxford University Press. ISBN 978-0-19-094057-7. <a href="https://books.google.com/books?id=EenMzQEACAAJ" target="_blank">https://books.google.com/books?id=EenMzQEACAAJ</a> <a href="#fnref:90" class="footnote-back-ref">↩</a></p></li> <li id="fn:91"><p>Fowler 2016, p. 5, 44. - Fowler, Kevvie (2016). Data Breach Preparation and Response: Breaches are Certain, Impact is Not. Elsevier Science. ISBN 978-0-12-803451-4. <a href="https://books.google.com/books?id=m5SZBgAAQBAJ" target="_blank">https://books.google.com/books?id=m5SZBgAAQBAJ</a> <a href="#fnref:91" class="footnote-back-ref">↩</a></p></li> <li id="fn:92"><p>National Academies of Sciences, Engineering, and Medicine 2016, p. 13. - National Academies of Sciences, Engineering, and Medicine (2016). "Forum on Cyber Resilience Workshop Series". Data Breach Aftermath and Recovery for Individuals and Institutions: Proceedings of a Workshop. National Academies Press. ISBN 978-0-309-44505-4. <a href="https://nap.nationalacademies.org/catalog/23559/data-breach-aftermath-and-recovery-for-individuals-and-institutions-proceedings" target="_blank">https://nap.nationalacademies.org/catalog/23559/data-breach-aftermath-and-recovery-for-individuals-and-institutions-proceedings</a> <a href="#fnref:92" class="footnote-back-ref">↩</a></p></li> <li id="fn:93"><p>National Academies of Sciences, Engineering, and Medicine 2016, p. 13. - National Academies of Sciences, Engineering, and Medicine (2016). "Forum on Cyber Resilience Workshop Series". Data Breach Aftermath and Recovery for Individuals and Institutions: Proceedings of a Workshop. National Academies Press. ISBN 978-0-309-44505-4. <a href="https://nap.nationalacademies.org/catalog/23559/data-breach-aftermath-and-recovery-for-individuals-and-institutions-proceedings" target="_blank">https://nap.nationalacademies.org/catalog/23559/data-breach-aftermath-and-recovery-for-individuals-and-institutions-proceedings</a> <a href="#fnref:93" class="footnote-back-ref">↩</a></p></li> <li id="fn:94"><p>Fowler 2016, pp. 5–6. - Fowler, Kevvie (2016). Data Breach Preparation and Response: Breaches are Certain, Impact is Not. Elsevier Science. ISBN 978-0-12-803451-4. <a href="https://books.google.com/books?id=m5SZBgAAQBAJ" target="_blank">https://books.google.com/books?id=m5SZBgAAQBAJ</a> <a href="#fnref:94" class="footnote-back-ref">↩</a></p></li> <li id="fn:95"><p>Fowler 2016, p. 13. - Fowler, Kevvie (2016). Data Breach Preparation and Response: Breaches are Certain, Impact is Not. Elsevier Science. ISBN 978-0-12-803451-4. <a href="https://books.google.com/books?id=m5SZBgAAQBAJ" target="_blank">https://books.google.com/books?id=m5SZBgAAQBAJ</a> <a href="#fnref:95" class="footnote-back-ref">↩</a></p></li> <li id="fn:96"><p>Fowler 2016, p. 14. - Fowler, Kevvie (2016). Data Breach Preparation and Response: Breaches are Certain, Impact is Not. Elsevier Science. ISBN 978-0-12-803451-4. <a href="https://books.google.com/books?id=m5SZBgAAQBAJ" target="_blank">https://books.google.com/books?id=m5SZBgAAQBAJ</a> <a href="#fnref:96" class="footnote-back-ref">↩</a></p></li> <li id="fn:97"><p>Fowler 2016, pp. 12–13. - Fowler, Kevvie (2016). Data Breach Preparation and Response: Breaches are Certain, Impact is Not. Elsevier Science. ISBN 978-0-12-803451-4. <a href="https://books.google.com/books?id=m5SZBgAAQBAJ" target="_blank">https://books.google.com/books?id=m5SZBgAAQBAJ</a> <a href="#fnref:97" class="footnote-back-ref">↩</a></p></li> <li id="fn:98"><p>Davidoff 2019, "Modern dark data brokers". - Davidoff, Sherri (2019). Data Breaches: Crisis and Opportunity. Addison-Wesley Professional. ISBN 978-0-13-450772-9. <a href="#fnref:98" class="footnote-back-ref">↩</a></p></li> <li id="fn:99"><p>Solove & Hartzog 2022, p. 21. - Solove, Daniel J.; Hartzog, Woodrow (2022). Breached!: Why Data Security Law Fails and How to Improve it. Oxford University Press. ISBN 978-0-19-094057-7. <a href="https://books.google.com/books?id=EenMzQEACAAJ" target="_blank">https://books.google.com/books?id=EenMzQEACAAJ</a> <a href="#fnref:99" class="footnote-back-ref">↩</a></p></li> <li id="fn:100"><p>Howell, Christian Jordan; Maimon, David (2 December 2022). "Darknet markets generate millions in revenue selling stolen personal data, supply chain study finds". The Conversation. Retrieved 22 April 2024. <a href="https://theconversation.com/darknet-markets-generate-millions-in-revenue-selling-stolen-personal-data-supply-chain-study-finds-193506" target="_blank">https://theconversation.com/darknet-markets-generate-millions-in-revenue-selling-stolen-personal-data-supply-chain-study-finds-193506</a> <a href="#fnref:100" class="footnote-back-ref">↩</a></p></li> <li id="fn:101"><p>Garkava, Taisiia; Moneva, Asier; Leukfeldt, E. Rutger (2024). "Stolen data markets on Telegram: A crime script analysis and situational crime prevention measures". Trends in Organized Crime. doi:10.1007/s12117-024-09532-6. <a href="https://link.springer.com/article/10.1007/s12117-024-09532-6" target="_blank">https://link.springer.com/article/10.1007/s12117-024-09532-6</a> <a href="#fnref:101" class="footnote-back-ref">↩</a></p></li> <li id="fn:102"><p>Fowler 2016, pp. 13–14. - Fowler, Kevvie (2016). Data Breach Preparation and Response: Breaches are Certain, Impact is Not. Elsevier Science. ISBN 978-0-12-803451-4. <a href="https://books.google.com/books?id=m5SZBgAAQBAJ" target="_blank">https://books.google.com/books?id=m5SZBgAAQBAJ</a> <a href="#fnref:102" class="footnote-back-ref">↩</a></p></li> <li id="fn:103"><p>Fowler 2016, p. 13. - Fowler, Kevvie (2016). Data Breach Preparation and Response: Breaches are Certain, Impact is Not. Elsevier Science. ISBN 978-0-12-803451-4. <a href="https://books.google.com/books?id=m5SZBgAAQBAJ" target="_blank">https://books.google.com/books?id=m5SZBgAAQBAJ</a> <a href="#fnref:103" class="footnote-back-ref">↩</a></p></li> <li id="fn:104"><p>National Academies of Sciences, Engineering, and Medicine 2016, p. 27. - National Academies of Sciences, Engineering, and Medicine (2016). "Forum on Cyber Resilience Workshop Series". Data Breach Aftermath and Recovery for Individuals and Institutions: Proceedings of a Workshop. National Academies Press. ISBN 978-0-309-44505-4. <a href="https://nap.nationalacademies.org/catalog/23559/data-breach-aftermath-and-recovery-for-individuals-and-institutions-proceedings" target="_blank">https://nap.nationalacademies.org/catalog/23559/data-breach-aftermath-and-recovery-for-individuals-and-institutions-proceedings</a> <a href="#fnref:104" class="footnote-back-ref">↩</a></p></li> <li id="fn:105"><p>National Academies of Sciences, Engineering, and Medicine 2016, p. 13. - National Academies of Sciences, Engineering, and Medicine (2016). "Forum on Cyber Resilience Workshop Series". Data Breach Aftermath and Recovery for Individuals and Institutions: Proceedings of a Workshop. National Academies Press. ISBN 978-0-309-44505-4. <a href="https://nap.nationalacademies.org/catalog/23559/data-breach-aftermath-and-recovery-for-individuals-and-institutions-proceedings" target="_blank">https://nap.nationalacademies.org/catalog/23559/data-breach-aftermath-and-recovery-for-individuals-and-institutions-proceedings</a> <a href="#fnref:105" class="footnote-back-ref">↩</a></p></li> <li id="fn:106"><p>Solove & Hartzog 2022, p. 58. - Solove, Daniel J.; Hartzog, Woodrow (2022). Breached!: Why Data Security Law Fails and How to Improve it. Oxford University Press. ISBN 978-0-19-094057-7. <a href="https://books.google.com/books?id=EenMzQEACAAJ" target="_blank">https://books.google.com/books?id=EenMzQEACAAJ</a> <a href="#fnref:106" class="footnote-back-ref">↩</a></p></li> <li id="fn:107"><p>National Academies of Sciences, Engineering, and Medicine 2016, pp. 30–31. - National Academies of Sciences, Engineering, and Medicine (2016). "Forum on Cyber Resilience Workshop Series". Data Breach Aftermath and Recovery for Individuals and Institutions: Proceedings of a Workshop. National Academies Press. ISBN 978-0-309-44505-4. <a href="https://nap.nationalacademies.org/catalog/23559/data-breach-aftermath-and-recovery-for-individuals-and-institutions-proceedings" target="_blank">https://nap.nationalacademies.org/catalog/23559/data-breach-aftermath-and-recovery-for-individuals-and-institutions-proceedings</a> <a href="#fnref:107" class="footnote-back-ref">↩</a></p></li> <li id="fn:108"><p>National Academies of Sciences, Engineering, and Medicine 2016, p. 29. - National Academies of Sciences, Engineering, and Medicine (2016). "Forum on Cyber Resilience Workshop Series". Data Breach Aftermath and Recovery for Individuals and Institutions: Proceedings of a Workshop. National Academies Press. ISBN 978-0-309-44505-4. <a href="https://nap.nationalacademies.org/catalog/23559/data-breach-aftermath-and-recovery-for-individuals-and-institutions-proceedings" target="_blank">https://nap.nationalacademies.org/catalog/23559/data-breach-aftermath-and-recovery-for-individuals-and-institutions-proceedings</a> <a href="#fnref:108" class="footnote-back-ref">↩</a></p></li> <li id="fn:109"><p>Solove & Hartzog 2022, p. 56. - Solove, Daniel J.; Hartzog, Woodrow (2022). Breached!: Why Data Security Law Fails and How to Improve it. Oxford University Press. ISBN 978-0-19-094057-7. <a href="https://books.google.com/books?id=EenMzQEACAAJ" target="_blank">https://books.google.com/books?id=EenMzQEACAAJ</a> <a href="#fnref:109" class="footnote-back-ref">↩</a></p></li> <li id="fn:110"><p>National Academies of Sciences, Engineering, and Medicine 2016, pp. 27–29. - National Academies of Sciences, Engineering, and Medicine (2016). "Forum on Cyber Resilience Workshop Series". Data Breach Aftermath and Recovery for Individuals and Institutions: Proceedings of a Workshop. National Academies Press. ISBN 978-0-309-44505-4. <a href="https://nap.nationalacademies.org/catalog/23559/data-breach-aftermath-and-recovery-for-individuals-and-institutions-proceedings" target="_blank">https://nap.nationalacademies.org/catalog/23559/data-breach-aftermath-and-recovery-for-individuals-and-institutions-proceedings</a> <a href="#fnref:110" class="footnote-back-ref">↩</a></p></li> <li id="fn:111"><p>Makridis 2021, p. 1. - Makridis, Christos A (2021). "Do data breaches damage reputation? Evidence from 45 companies between 2002 and 2018". Journal of Cybersecurity. 7 (1). doi:10.1093/cybsec/tyab021. <a href="https://doi.org/10.1093%2Fcybsec%2Ftyab021" target="_blank">https://doi.org/10.1093%2Fcybsec%2Ftyab021</a> <a href="#fnref:111" class="footnote-back-ref">↩</a></p></li> <li id="fn:112"><p>Fowler 2016, p. 22. - Fowler, Kevvie (2016). Data Breach Preparation and Response: Breaches are Certain, Impact is Not. Elsevier Science. ISBN 978-0-12-803451-4. <a href="https://books.google.com/books?id=m5SZBgAAQBAJ" target="_blank">https://books.google.com/books?id=m5SZBgAAQBAJ</a> <a href="#fnref:112" class="footnote-back-ref">↩</a></p></li> <li id="fn:113"><p>National Academies of Sciences, Engineering, and Medicine 2016, p. 22. - National Academies of Sciences, Engineering, and Medicine (2016). "Forum on Cyber Resilience Workshop Series". Data Breach Aftermath and Recovery for Individuals and Institutions: Proceedings of a Workshop. National Academies Press. ISBN 978-0-309-44505-4. <a href="https://nap.nationalacademies.org/catalog/23559/data-breach-aftermath-and-recovery-for-individuals-and-institutions-proceedings" target="_blank">https://nap.nationalacademies.org/catalog/23559/data-breach-aftermath-and-recovery-for-individuals-and-institutions-proceedings</a> <a href="#fnref:113" class="footnote-back-ref">↩</a></p></li> <li id="fn:114"><p>National Academies of Sciences, Engineering, and Medicine 2016, p. 22. - National Academies of Sciences, Engineering, and Medicine (2016). "Forum on Cyber Resilience Workshop Series". Data Breach Aftermath and Recovery for Individuals and Institutions: Proceedings of a Workshop. National Academies Press. ISBN 978-0-309-44505-4. <a href="https://nap.nationalacademies.org/catalog/23559/data-breach-aftermath-and-recovery-for-individuals-and-institutions-proceedings" target="_blank">https://nap.nationalacademies.org/catalog/23559/data-breach-aftermath-and-recovery-for-individuals-and-institutions-proceedings</a> <a href="#fnref:114" class="footnote-back-ref">↩</a></p></li> <li id="fn:115"><p>Fowler 2016, p. 41. - Fowler, Kevvie (2016). Data Breach Preparation and Response: Breaches are Certain, Impact is Not. Elsevier Science. ISBN 978-0-12-803451-4. <a href="https://books.google.com/books?id=m5SZBgAAQBAJ" target="_blank">https://books.google.com/books?id=m5SZBgAAQBAJ</a> <a href="#fnref:115" class="footnote-back-ref">↩</a></p></li> <li id="fn:116"><p>National Academies of Sciences, Engineering, and Medicine 2016, p. 22. - National Academies of Sciences, Engineering, and Medicine (2016). "Forum on Cyber Resilience Workshop Series". Data Breach Aftermath and Recovery for Individuals and Institutions: Proceedings of a Workshop. National Academies Press. ISBN 978-0-309-44505-4. <a href="https://nap.nationalacademies.org/catalog/23559/data-breach-aftermath-and-recovery-for-individuals-and-institutions-proceedings" target="_blank">https://nap.nationalacademies.org/catalog/23559/data-breach-aftermath-and-recovery-for-individuals-and-institutions-proceedings</a> <a href="#fnref:116" class="footnote-back-ref">↩</a></p></li> <li id="fn:117"><p>Sloan & Warner 2019, p. 104. - Sloan, Robert H.; Warner, Richard (2019). Why Don't We Defend Better?: Data Breaches, Risk Management, and Public Policy. CRC Press. ISBN 978-1-351-12729-5. <a href="#fnref:117" class="footnote-back-ref">↩</a></p></li> <li id="fn:118"><p>Makridis 2021, pp. 1, 7. - Makridis, Christos A (2021). "Do data breaches damage reputation? Evidence from 45 companies between 2002 and 2018". Journal of Cybersecurity. 7 (1). doi:10.1093/cybsec/tyab021. <a href="https://doi.org/10.1093%2Fcybsec%2Ftyab021" target="_blank">https://doi.org/10.1093%2Fcybsec%2Ftyab021</a> <a href="#fnref:118" class="footnote-back-ref">↩</a></p></li> <li id="fn:119"><p>Sloan & Warner 2019, p. 64. - Sloan, Robert H.; Warner, Richard (2019). Why Don't We Defend Better?: Data Breaches, Risk Management, and Public Policy. CRC Press. ISBN 978-1-351-12729-5. <a href="#fnref:119" class="footnote-back-ref">↩</a></p></li> <li id="fn:120"><p>National Academies of Sciences, Engineering, and Medicine 2016, pp. 8–10. - National Academies of Sciences, Engineering, and Medicine (2016). "Forum on Cyber Resilience Workshop Series". Data Breach Aftermath and Recovery for Individuals and Institutions: Proceedings of a Workshop. National Academies Press. ISBN 978-0-309-44505-4. <a href="https://nap.nationalacademies.org/catalog/23559/data-breach-aftermath-and-recovery-for-individuals-and-institutions-proceedings" target="_blank">https://nap.nationalacademies.org/catalog/23559/data-breach-aftermath-and-recovery-for-individuals-and-institutions-proceedings</a> <a href="#fnref:120" class="footnote-back-ref">↩</a></p></li> <li id="fn:121"><p>Fowler 2016, p. 21. - Fowler, Kevvie (2016). Data Breach Preparation and Response: Breaches are Certain, Impact is Not. Elsevier Science. ISBN 978-0-12-803451-4. <a href="https://books.google.com/books?id=m5SZBgAAQBAJ" target="_blank">https://books.google.com/books?id=m5SZBgAAQBAJ</a> <a href="#fnref:121" class="footnote-back-ref">↩</a></p></li> <li id="fn:122"><p>National Academies of Sciences, Engineering, and Medicine 2016, p. 10. - National Academies of Sciences, Engineering, and Medicine (2016). "Forum on Cyber Resilience Workshop Series". Data Breach Aftermath and Recovery for Individuals and Institutions: Proceedings of a Workshop. National Academies Press. ISBN 978-0-309-44505-4. <a href="https://nap.nationalacademies.org/catalog/23559/data-breach-aftermath-and-recovery-for-individuals-and-institutions-proceedings" target="_blank">https://nap.nationalacademies.org/catalog/23559/data-breach-aftermath-and-recovery-for-individuals-and-institutions-proceedings</a> <a href="#fnref:122" class="footnote-back-ref">↩</a></p></li> <li id="fn:123"><p>Solove & Hartzog 2022, p. 10. - Solove, Daniel J.; Hartzog, Woodrow (2022). Breached!: Why Data Security Law Fails and How to Improve it. Oxford University Press. ISBN 978-0-19-094057-7. <a href="https://books.google.com/books?id=EenMzQEACAAJ" target="_blank">https://books.google.com/books?id=EenMzQEACAAJ</a> <a href="#fnref:123" class="footnote-back-ref">↩</a></p></li> <li id="fn:124"><p>Solove & Hartzog 2022, p. 41. - Solove, Daniel J.; Hartzog, Woodrow (2022). Breached!: Why Data Security Law Fails and How to Improve it. Oxford University Press. ISBN 978-0-19-094057-7. <a href="https://books.google.com/books?id=EenMzQEACAAJ" target="_blank">https://books.google.com/books?id=EenMzQEACAAJ</a> <a href="#fnref:124" class="footnote-back-ref">↩</a></p></li> <li id="fn:125"><p>Solove & Hartzog 2022, p. 42. - Solove, Daniel J.; Hartzog, Woodrow (2022). Breached!: Why Data Security Law Fails and How to Improve it. Oxford University Press. ISBN 978-0-19-094057-7. <a href="https://books.google.com/books?id=EenMzQEACAAJ" target="_blank">https://books.google.com/books?id=EenMzQEACAAJ</a> <a href="#fnref:125" class="footnote-back-ref">↩</a></p></li> <li id="fn:126"><p>Solove & Hartzog 2022, p. 43. - Solove, Daniel J.; Hartzog, Woodrow (2022). Breached!: Why Data Security Law Fails and How to Improve it. Oxford University Press. ISBN 978-0-19-094057-7. <a href="https://books.google.com/books?id=EenMzQEACAAJ" target="_blank">https://books.google.com/books?id=EenMzQEACAAJ</a> <a href="#fnref:126" class="footnote-back-ref">↩</a></p></li> <li id="fn:127"><p>Solove & Hartzog 2022, p. 44. - Solove, Daniel J.; Hartzog, Woodrow (2022). Breached!: Why Data Security Law Fails and How to Improve it. Oxford University Press. ISBN 978-0-19-094057-7. <a href="https://books.google.com/books?id=EenMzQEACAAJ" target="_blank">https://books.google.com/books?id=EenMzQEACAAJ</a> <a href="#fnref:127" class="footnote-back-ref">↩</a></p></li> <li id="fn:128"><p>Solove & Hartzog 2022, p. 45. - Solove, Daniel J.; Hartzog, Woodrow (2022). Breached!: Why Data Security Law Fails and How to Improve it. Oxford University Press. ISBN 978-0-19-094057-7. <a href="https://books.google.com/books?id=EenMzQEACAAJ" target="_blank">https://books.google.com/books?id=EenMzQEACAAJ</a> <a href="#fnref:128" class="footnote-back-ref">↩</a></p></li> <li id="fn:129"><p>Thomas 2023, pp. xxvii, xxix, xxxii–xxxiii, xxxiv. - Thomas, Liisa M. (2023). Thomas on Data Breach: A Practical Guide to Handling Data Breach Notifications Worldwide (PDF). Thomson Reuters. ISBN 978-1-7319-5405-3. <a href="https://static.legalsolutions.thomsonreuters.com/product_files/relateddocs/243610_20248_1038.pdf" target="_blank">https://static.legalsolutions.thomsonreuters.com/product_files/relateddocs/243610_20248_1038.pdf</a> <a href="#fnref:129" class="footnote-back-ref">↩</a></p></li> <li id="fn:130"><p>Lesemann 2010, p. 206. - Lesemann, Dana J. (2010). "One More unto the Breach: An Analysis of Legal, Technological, and Policy Issues Involving Data Breach Notification Statutes". Akron Intellectual Property Journal. 4: 203. <a href="https://heinonline.org/HOL/LandingPage?handle=hein.journals/akrintel4&div=12&id=&page=" target="_blank">https://heinonline.org/HOL/LandingPage?handle=hein.journals/akrintel4&div=12&id=&page=</a> <a href="#fnref:130" class="footnote-back-ref">↩</a></p></li> <li id="fn:131"><p>Lesemann 2010, pp. 206–207. - Lesemann, Dana J. (2010). "One More unto the Breach: An Analysis of Legal, Technological, and Policy Issues Involving Data Breach Notification Statutes". Akron Intellectual Property Journal. 4: 203. <a href="https://heinonline.org/HOL/LandingPage?handle=hein.journals/akrintel4&div=12&id=&page=" target="_blank">https://heinonline.org/HOL/LandingPage?handle=hein.journals/akrintel4&div=12&id=&page=</a> <a href="#fnref:131" class="footnote-back-ref">↩</a></p></li> <li id="fn:132"><p>Joerling 2010, pp. 468–469. - Joerling, Jill (2010). "Data Breach Notification Laws: An Argument for a Comprehensive Federal Law to Protect Consumer Data". Washington University Journal of Law and Policy. 32: 467. <a href="https://heinonline.org/HOL/LandingPage?handle=hein.journals/wajlp32&div=16&id=&page=" target="_blank">https://heinonline.org/HOL/LandingPage?handle=hein.journals/wajlp32&div=16&id=&page=</a> <a href="#fnref:132" class="footnote-back-ref">↩</a></p></li> <li id="fn:133"><p>Seaman 2020, pp. 6–7. - Seaman, Jim (2020). PCI DSS: An Integrated Data Security Standard Guide. Apress. ISBN 978-1-4842-5808-8. <a href="#fnref:133" class="footnote-back-ref">↩</a></p></li> <li id="fn:134"><p>Solove & Hartzog 2022, p. 40. - Solove, Daniel J.; Hartzog, Woodrow (2022). Breached!: Why Data Security Law Fails and How to Improve it. Oxford University Press. ISBN 978-0-19-094057-7. <a href="https://books.google.com/books?id=EenMzQEACAAJ" target="_blank">https://books.google.com/books?id=EenMzQEACAAJ</a> <a href="#fnref:134" class="footnote-back-ref">↩</a></p></li> <li id="fn:135"><p>Solove & Hartzog 2022, p. 40. - Solove, Daniel J.; Hartzog, Woodrow (2022). Breached!: Why Data Security Law Fails and How to Improve it. Oxford University Press. ISBN 978-0-19-094057-7. <a href="https://books.google.com/books?id=EenMzQEACAAJ" target="_blank">https://books.google.com/books?id=EenMzQEACAAJ</a> <a href="#fnref:135" class="footnote-back-ref">↩</a></p></li> <li id="fn:136"><p>Solove & Hartzog 2022, p. 10. - Solove, Daniel J.; Hartzog, Woodrow (2022). Breached!: Why Data Security Law Fails and How to Improve it. Oxford University Press. ISBN 978-0-19-094057-7. <a href="https://books.google.com/books?id=EenMzQEACAAJ" target="_blank">https://books.google.com/books?id=EenMzQEACAAJ</a> <a href="#fnref:136" class="footnote-back-ref">↩</a></p></li> <li id="fn:137"><p>National Academies of Sciences, Engineering, and Medicine 2016, p. 24. - National Academies of Sciences, Engineering, and Medicine (2016). "Forum on Cyber Resilience Workshop Series". Data Breach Aftermath and Recovery for Individuals and Institutions: Proceedings of a Workshop. National Academies Press. ISBN 978-0-309-44505-4. <a href="https://nap.nationalacademies.org/catalog/23559/data-breach-aftermath-and-recovery-for-individuals-and-institutions-proceedings" target="_blank">https://nap.nationalacademies.org/catalog/23559/data-breach-aftermath-and-recovery-for-individuals-and-institutions-proceedings</a> <a href="#fnref:137" class="footnote-back-ref">↩</a></p></li> <li id="fn:138"><p>Talesh 2018, p. 237. - Talesh, Shauhin A. (2018). "Data Breach, Privacy, and Cyber Insurance: How Insurance Companies Act as "Compliance Managers" for Businesses". Law & Social Inquiry. 43 (2): 417–440. doi:10.1111/lsi.12303. <a href="https://doi.org/10.1111%2Flsi.12303" target="_blank">https://doi.org/10.1111%2Flsi.12303</a> <a href="#fnref:138" class="footnote-back-ref">↩</a></p></li> <li id="fn:139"><p>Solove & Hartzog 2022, p. 48. - Solove, Daniel J.; Hartzog, Woodrow (2022). Breached!: Why Data Security Law Fails and How to Improve it. Oxford University Press. ISBN 978-0-19-094057-7. <a href="https://books.google.com/books?id=EenMzQEACAAJ" target="_blank">https://books.google.com/books?id=EenMzQEACAAJ</a> <a href="#fnref:139" class="footnote-back-ref">↩</a></p></li> <li id="fn:140"><p>Solove & Hartzog 2022, pp. 48–49. - Solove, Daniel J.; Hartzog, Woodrow (2022). Breached!: Why Data Security Law Fails and How to Improve it. Oxford University Press. ISBN 978-0-19-094057-7. <a href="https://books.google.com/books?id=EenMzQEACAAJ" target="_blank">https://books.google.com/books?id=EenMzQEACAAJ</a> <a href="#fnref:140" class="footnote-back-ref">↩</a></p></li> <li id="fn:141"><p>Solove & Hartzog 2022, p. 52. - Solove, Daniel J.; Hartzog, Woodrow (2022). Breached!: Why Data Security Law Fails and How to Improve it. Oxford University Press. ISBN 978-0-19-094057-7. <a href="https://books.google.com/books?id=EenMzQEACAAJ" target="_blank">https://books.google.com/books?id=EenMzQEACAAJ</a> <a href="#fnref:141" class="footnote-back-ref">↩</a></p></li> <li id="fn:142"><p>Solove & Hartzog 2022, p. 53. - Solove, Daniel J.; Hartzog, Woodrow (2022). Breached!: Why Data Security Law Fails and How to Improve it. Oxford University Press. ISBN 978-0-19-094057-7. <a href="https://books.google.com/books?id=EenMzQEACAAJ" target="_blank">https://books.google.com/books?id=EenMzQEACAAJ</a> <a href="#fnref:142" class="footnote-back-ref">↩</a></p></li> <li id="fn:143"><p>Fowler 2016, p. 5. - Fowler, Kevvie (2016). Data Breach Preparation and Response: Breaches are Certain, Impact is Not. Elsevier Science. ISBN 978-0-12-803451-4. <a href="https://books.google.com/books?id=m5SZBgAAQBAJ" target="_blank">https://books.google.com/books?id=m5SZBgAAQBAJ</a> <a href="#fnref:143" class="footnote-back-ref">↩</a></p></li> <li id="fn:144"><p>Fowler 2016, p. 222. - Fowler, Kevvie (2016). Data Breach Preparation and Response: Breaches are Certain, Impact is Not. Elsevier Science. ISBN 978-0-12-803451-4. <a href="https://books.google.com/books?id=m5SZBgAAQBAJ" target="_blank">https://books.google.com/books?id=m5SZBgAAQBAJ</a> <a href="#fnref:144" class="footnote-back-ref">↩</a></p></li> <li id="fn:145"><p>Solove & Hartzog 2022, pp. 55, 59. - Solove, Daniel J.; Hartzog, Woodrow (2022). Breached!: Why Data Security Law Fails and How to Improve it. Oxford University Press. ISBN 978-0-19-094057-7. <a href="https://books.google.com/books?id=EenMzQEACAAJ" target="_blank">https://books.google.com/books?id=EenMzQEACAAJ</a> <a href="#fnref:145" class="footnote-back-ref">↩</a></p></li> <li id="fn:146"><p>National Academies of Sciences, Engineering, and Medicine 2016, p. 22. - National Academies of Sciences, Engineering, and Medicine (2016). "Forum on Cyber Resilience Workshop Series". Data Breach Aftermath and Recovery for Individuals and Institutions: Proceedings of a Workshop. National Academies Press. ISBN 978-0-309-44505-4. <a href="https://nap.nationalacademies.org/catalog/23559/data-breach-aftermath-and-recovery-for-individuals-and-institutions-proceedings" target="_blank">https://nap.nationalacademies.org/catalog/23559/data-breach-aftermath-and-recovery-for-individuals-and-institutions-proceedings</a> <a href="#fnref:146" class="footnote-back-ref">↩</a></p></li> <li id="fn:147"><p>Solove & Hartzog 2022, pp. 55, 59. - Solove, Daniel J.; Hartzog, Woodrow (2022). Breached!: Why Data Security Law Fails and How to Improve it. Oxford University Press. ISBN 978-0-19-094057-7. <a href="https://books.google.com/books?id=EenMzQEACAAJ" target="_blank">https://books.google.com/books?id=EenMzQEACAAJ</a> <a href="#fnref:147" class="footnote-back-ref">↩</a></p></li> <li id="fn:148"><p>Solove & Hartzog 2022, p. 55. - Solove, Daniel J.; Hartzog, Woodrow (2022). Breached!: Why Data Security Law Fails and How to Improve it. Oxford University Press. ISBN 978-0-19-094057-7. <a href="https://books.google.com/books?id=EenMzQEACAAJ" target="_blank">https://books.google.com/books?id=EenMzQEACAAJ</a> <a href="#fnref:148" class="footnote-back-ref">↩</a></p></li> <li id="fn:149"><p>Solove & Hartzog 2022, p. 55. - Solove, Daniel J.; Hartzog, Woodrow (2022). Breached!: Why Data Security Law Fails and How to Improve it. Oxford University Press. ISBN 978-0-19-094057-7. <a href="https://books.google.com/books?id=EenMzQEACAAJ" target="_blank">https://books.google.com/books?id=EenMzQEACAAJ</a> <a href="#fnref:149" class="footnote-back-ref">↩</a></p></li> <li id="fn:150"><p>Solove & Hartzog 2022, p. 53. - Solove, Daniel J.; Hartzog, Woodrow (2022). Breached!: Why Data Security Law Fails and How to Improve it. Oxford University Press. ISBN 978-0-19-094057-7. <a href="https://books.google.com/books?id=EenMzQEACAAJ" target="_blank">https://books.google.com/books?id=EenMzQEACAAJ</a> <a href="#fnref:150" class="footnote-back-ref">↩</a></p></li> <li id="fn:151"><p>National Academies of Sciences, Engineering, and Medicine 2016, p. 23. - National Academies of Sciences, Engineering, and Medicine (2016). "Forum on Cyber Resilience Workshop Series". Data Breach Aftermath and Recovery for Individuals and Institutions: Proceedings of a Workshop. National Academies Press. ISBN 978-0-309-44505-4. <a href="https://nap.nationalacademies.org/catalog/23559/data-breach-aftermath-and-recovery-for-individuals-and-institutions-proceedings" target="_blank">https://nap.nationalacademies.org/catalog/23559/data-breach-aftermath-and-recovery-for-individuals-and-institutions-proceedings</a> <a href="#fnref:151" class="footnote-back-ref">↩</a></p></li> <li id="fn:152"><p>National Academies of Sciences, Engineering, and Medicine 2016, p. 23. - National Academies of Sciences, Engineering, and Medicine (2016). "Forum on Cyber Resilience Workshop Series". Data Breach Aftermath and Recovery for Individuals and Institutions: Proceedings of a Workshop. National Academies Press. ISBN 978-0-309-44505-4. <a href="https://nap.nationalacademies.org/catalog/23559/data-breach-aftermath-and-recovery-for-individuals-and-institutions-proceedings" target="_blank">https://nap.nationalacademies.org/catalog/23559/data-breach-aftermath-and-recovery-for-individuals-and-institutions-proceedings</a> <a href="#fnref:152" class="footnote-back-ref">↩</a></p></li> </ol>