Data Breach

by John Bandler

A data breach is the unlawful access of an organization's or person's data. Such breaches can have considerable consequences of a financial, legal, and reputational nature. Data breach is one of the three top priority cybercrime threats that organizations and individuals should be aware of and protect against (the others are email based funds transfer frauds and ransomware).Three Priority Cybercrime Threats 2023-7 (2) Data Breach

Certain cybercriminals devote their efforts to committing data breaches. Data breaches are serious crimes under federal law and the law of every state. When cybercriminals are successful stealing data, they use it to commit more crimes such as theft and identity theft.

Read this if nothing else

  • Protect against a data breach to try prevent it
  • Data breaches may implicate reporting and notification requirements mandated by law
  • Laws may require prevention measures.

Prevention of data breaches

Every person and organization should try prevent a breach of their data, especially any information that is confidential, sensitive, or personal. And yet some fail to appreciate the cybercrime threats we all face, nor the potential consequences. But now there are increasing legal duties to protect against such crimes, recognizing that many organizations hold sensitive personal information relating to customers, clients, employees, and more. There are also legal duties to report certain data breaches to affected parties (those whose information was breached) and to the government. Every state now has these data breach reporting laws, and the purpose is to ensure the government and consumers are notified when their personal information is stolen. Without such requirements, many breached companies would simply keep it quiet.

Legal requirements

Many states (and regulators) require "reasonable security". That may be a vague requirement, but who can argue with the "reasonableness" of it?  Indeed, what organization would ever want to proclaim that their security was below that standard -- and risk being called "negligent"? Thus, organizations should focus on attaining and exceeding a level of reasonable cybersecurity, and resolve to continually improve their security program.

If there is a cybersecurity incident or data breach, certain things need to happen. There needs to be a reasonable investigation into what happened, to determine the facts. This can be time consuming, stressful, and costly. As in all areas, facts matter. Was data breached, which data, when, and how to prevent it from happening again. Based upon the facts, applicable laws need to be evaluated. Notification to affected parties and reporting to government might be required. That is a difficult position to be in, notifying others that your security was breached, and personal information compromised.

Summing up the above in simple terms, organizations need to achieve reasonable security, investigate a potential data breach, and then comply with any reporting obligations.

Each state and regulator has their own rules, and that can create some confusion. Terminology may vary, but remember that any rule can impost the above obligations, even if it is titled as a law relating to cybersecurity, information security, data breach, security breach, privacy, and more. Within each rule are sets of definitions and triggers for reporting. At their heart, they protect information which can be used to assume a victim's identity, but they may call it it "Personal Identifying Information", "Personal Information", "Personal Data" or other term, and the definitions will vary.

Improving cybersecurity

Improving cybersecurity is the key to preventing data breaches. How does an organization attain and exceed "reasonable security"? I recommend following (my) Bandler's Four Pillars of Cybersecurity, having a cybersecurity policy, an incident response plan, following them, and pursuing continual improvement.

Conclusion

This is a brief summary with some simplifications, attempting to bring complex subject matter to all readers in an understandable and accessible manner.  It is not legal advice nor consulting advice, and is not tailored to your circumstances.

If your organization needs help with improving cybersecurity, creating or improving your policies, complying with cybersecurity related laws and regulations, contact me. Good policies are an important part of cybersecurity, along with Bandler's Four Pillars of Cybersecurity.

Additional reading

This article is hosted at https://johnbandler.com/data-breach and is about a priority cybercrime threat. Copyright John Bandler.

A version of this article is also available on Medium.com, at https://johnbandler.medium.com/data-breach-74f8e02dd758 (though not kept as current and without links).

Originally posted on 11/07/2020. Last updated on 11/04/2023.