137 countries have legislated data protection laws and guidelines to protect information and privacy.
Examples of data protection laws and guidelines around the world include:
- The General Data Protection Regulation (GDPR) in the European Union requires notification within 72 hours of data breaches involving any unauthorized loss, disclosure, modification or destruction of personal data.
- In the UK, the Data Protection Act sets out requirements similar to the GDPR.
- The California Consumer Privacy Act (CCPA) includes rights of access, data portability and erasure, as well as the ability for consumers to opt out of the sale of their personal information. Other US States are following California’s lead, including Virginia and Colorado.
- China's new Personal Information Protection Law (PIPL) serves a data protection purpose, but also enforces digital sovereignty.
- The Brazilian General Data Protection Law (LGPD) is based on the GDPR, and includes data breach notification requirements.
- Other jurisdictions like Australia, New Zealand, Canada, Singapore, Japan and South Korea all have comprehensive privacy laws which include data security obligations when handling personal information.
Research consistently confirms human error contributes to at least 30 percent of data breaches [2].
Despite the widespread global adoption of data privacy and data protection regulations, research consistently confirms a few simple human errors contribute to at least thirty percent of data breaches [3].
Surveyed organizations report repeated instances of data breaches and loss through inadvertent human actions. The most common human errors contributing to data breaches and loss include emailing sensitive information to the wrong recipient, unintentionally publishing protected information, losing data through misplaced paperwork or storage devices.
Other human actions contributing to data breach and losses consist of forgetting to put large numbers of email recipients in the BCC field, storing sensitive data as draft emails with no classification, remote work environments distracting from best-in-class cybersecurity practices, and losing or sharing employee-issued devices.