In what may be the largest data breach ever publicly disclosed, Yahoo, disclosed that a 2014 cyberattack breached at least 500 million user accounts. The company said it believes state-sponsored actors were responsible and that the data stolen includes names, email addresses, telephone numbers, dates of birth, and hashed passwords.

Data privacy and securityThe data could also include security questions and answers, but Yahoo said that some accounts were encrypted. The company said its investigation did not reveal unhashed passwords or credit card or bank account information.

News of the breach comes soon after the $4.8 billion Verizon acquisition of Yahoo. Yahoo shares tumbled after the announcement but analysts said the Verizon deal is not likely to be affected by the news. With the disclosure, Yahoo joins a growing list of U.S. companies to suffer a serious data breach since 2013.

There are five fundamental truths that a company’s privacy officers and legal counsel must be aware of in order to protect consumer data:

Only Required Data Should Be Collected and Stored
Sweeping up and storing data beyond what is needed in order to provide a company’s services opens the door for cyber criminals to access and expose more consumer personal data. A company’s leadership must think very carefully about what personal data it is collecting and why it is collecting it from its consumers – collecting and storing unnecessary personal data exposes consumers and the company to additional risk that is avoidable.

Adhere to the Principle of Least Privilege
The Principle of Least Privilege is a restrictive computing practice that only allows a user to access the data necessary for its legitimate purpose. By only giving the least amount of access privileges to employees, a company can minimize the number of employees who will have access to consumer personal data, thus making the pool of employees who do have heightened access smaller and easier to manage.

Follow an Internal Privacy Policy
Having a privacy policy that establishes internal controls for who collects consumer personal data, how it is collected, where it is stored, and for how long it is stored is critical for protecting consumer personal data. The privacy policy should obligate every employee with access to consumer personal data to protect that data as well as obligating the company to provide annual training and updates to employees.

Plan for the Inevitable Breach
When, not if, a company is breached, it must stick to its breach plan to stay ahead of law enforcement, regulators, the media, and further disclosure of consumer personal data. The breach plan should be written alongside the company’s internal privacy policy – the documents go hand in hand and work together to help control a breach. Employees must know what their roles are during a breach, when they must act, and who they need to contact when they discover a breach. Not having a breach plan can lead to a reactive response, which makes investigating and containing the effects of the breach more difficult.

Industry Best Practices
Above all else, following industry best security practices is the best way to protect consumer personal data. Having a chief information security officer, legal staff and/or information technology director staying on top of trends, events and changes is the only way a company can minimize the potential of a data breach, but also to decrease the amount of data that is breached. Implementing and maintaining an updated and secure corporate network may be costly and scare executive management into inaction, but the cost of cleaning up a breach is far greater than finding money in the budget to hire security-minded staff and to harden the company’s systems.

It seems likely that the next decade will be difficult for IT professionals as breaches become increasingly common. Instead of fighting the trend, IT pros should embrace their fate and prepare for the inevitable breach.