Keeping up with cyberattacks and data breaches is becoming difficult as these attacks seem to occupy every news cycle, with the average cost of a data breach in 2024 being $4.8 million.

Organizations need to implement proactive data protection tools to comply with regulations and laws as well as to protect their data. This blog will explore the rising problems with data breaches, the compliance requirements around them, and look at best practices to protect organizations and consumer data.

The Data Breach Epidemic

It's crucial for organizations to keep their data safe at rest, in transit, and in use as cybercriminals are becoming more persistent and going after data.

In an RSAC^TM 2025 Conference presentation, Alex Pinto, Associate Director of Threat Intelligence at Verizon Business, and Chris Novak, VP of Global Cybersecurity Solutions at Verizon Business, provided insight into the 2025 Verizon Data Breach Investigation Report (DBIR).

Novak stated that the 2025 DBIR reviewed 22,052 incidents, identified 139 victim countries, and analyzed 12,915 data breaches. The analysis found that the most common access vector in edge device vulnerabilities in 2024 was credential abuse (22%), followed by exploitation of vulnerabilities (20%) and phishing attacks (16%). With these three main attack vectors, malicious actors were able to gain initial access to edge devices; however, Pinto explained, "60% of breaches involved the human element, 30% were from third parties, and 15% were espionage motivated."

To prevent data breaches, it's key for organizations to not only implement strong data controls and tools but also to raise awareness with both internal and external parties and their users to safely navigate and store data, and to be aware of human attack methods like phishing and social engineering attacks.

Data Compliance and Regulations

Implementing strong data controls and tools to mitigate risks and attacks is important, but it’s also necessary to comply with regulations and laws. Organizations can't just get rid of data as there are certain industry and regulatory retention requirements.

In an RSAC 2024 Conference presentation,  speakers, Jordan McClintick, Data Governance, Privacy, and Protection Practice Leader at Optiv, said that building data retention policies becomes difficult when an organization has to follow certain regulations depending on the industry. For example, the Payment Card Industry (PCI) requires one year of storing data, while the Health Insurance Portability and Accountability Act (HIPAA) and the Federal Deposit Insurance Corporation (FDIC) require six years. Organizations should figure out which data retention regulations apply to them to better understand their data retention schedule and control.

While the US does not have a comprehensive federal data privacy law that all states must abide by, Caitlin Sarlan, Founder and Executive Director, Cybersecurity Girl stated in an RSAC 2025 Conference presentation, “All 50 states in the US have enacted their own data breach laws.” Figure 1 shows a few states and the data privacy laws  implemented.

Figure 1. RSAC 2025 Conference Presentation

Co-speaker, Ronald Sarlan, Global Chief Privacy Officer, Ingram Micro, listed other privacy laws such as the General Data Protection Regulation (GDPR), the EU Cookie Directive, and others. While these are mandated laws in Europe and not technically ones in the US, the majority of US organizations follow these laws as it’s important to let the users know what information is being collected and how it’s being used, as Sarlan stated.

Other industries may have specific data compliance requirements. For example, the healthcare industry must follow data privacy rules like the HIPAA Privacy Rule, which was established to safeguard protected health information (PHI) and electronic PHI (e-PHI). The financial services industry is required to comply with the Gramm-Leach-Bliley Act (GLBA), which mandates that financial organizations have robust security measures to protect users' information. Organizations should follow these regulations and laws, even if not explicitly required, to ensure their consumers' data is safe, and they are transparent about data usage and collection.

Best Practices and Tools to Protect Data

Using multi-factor authentication (MFA), a Zero Trust architecture, local key-managed encryption, and following frameworks like the NIST Cybersecurity Framework (CSF) 2.0 can help organizations prevent data breaches and cyberattacks.

Data Loss Prevention (DLP) is also a valuable tool for managing data security when implemented correctly. As Brian Vecci, Field CTO at Varonis, stated in an RSAC 2025 presentation, “DLP is looking at data at rest, data in motion, and data when it reaches the user endpoint, and then determining the sensitivity level to classify and label it for protection.” However, Vecci also noted DLP can fail without proper labeling.

To properly classify and label data, organizations can use sensitivity levels. Robin Franklin Guha, Security Engineer at Meta, suggested four common sensitivity levels in an RSAC 2025 presentation:

1. Sensitivity Level 1: Public Information

• Information already publicly available about the project or company (e.g., public job postings, company values, mission statement).

2. Sensitivity Level 2: Internal Only 

• Information that should be accessible to everyone within the company (e.g., employee benefits information, general company policies).

3. Sensitivity Level 3: Confidential Information

• Highly sensitive information that should not be open to everyone at the company (e.g., privacy and legal documents, intellectual property, specific HR documents).

4. Sensitivity Level 4: Personally Identifiable Information (PII)

• Information that personally identifies an individual (e.g., budgets, candidate feedback, employee performance reviews, or specific user information in healthcare).

Data classification helps reduce investigation and response times because an organization will know where its data resides. Furthermore, labeling aids administrators in preventing external sharing and downloading classified data files.

Following data regulations and policies, utilizing robust data strategy architectures like Zero Trust, applying Multi-Factor Authentication (MFA), enforcing least privileged access, and implementing tools such as Data Loss Prevention (DLP) can all help mitigate risks and ensure data integrity and confidentiality. By establishing a proactive and layered defense through these measures, organizations can significantly protect their own data and, most importantly, safeguard sensitive information from unauthorized access, breaches, and misuse.