[BreachExchange] Language Matters When It Comes to a Data Breach

Tue Jun 19 18:54:13 EDT 2018

https://securityboulevard.com/2018/06/language-matters-when-
it-comes-to-data-breach/

Data breaches were not going to stop just because the European Union’s
General Data Protection Regulation (GDPR) went into effect May 25. One of
the first ones to happen since the compliance regulations went live
happened June 3, when event ticketing company Ticketfly was hacked and
taken offline. It was since revealed Ticketfly suffered a data breach that
resulted in more than 27 million accounts compromised.

No word yet if Ticketfly falls under GDPR rules—the company primarily deals
with events in the United States, so it is uncertain whether it has EU
customers—but the official statement does not include the term “data
breach.” Rather, it refers to the attack as a “cyber incident” and notes
the information of its customers was accessed.

Was this terminology incidental? Probably not. The words we use in regard
to cybersecurity are important, especially now with GDPR.

A Breach Is Not Always a Breach

“Data breach” has long been the catch-all term for virtually any
cyberincident. The average user understands the general concept of a
breach, but doesn’t always realize that there are a variety of cyberattacks
that don’t result in a data breach. Ransomware, for instance, encrypts
files and makes them inaccessible until the ransom is paid, but often, the
files themselves aren’t opened and the data is never breached. Yet, when
reported, ransomware attacks are almost always equated with data breach.
Something happened to the data; therefore, it was breached.

However, using it as a generic term can turn into a legal headache. Using
breach when it wasn’t one at all could open up your organization to fines,
compliance violations and more.

What Is the Right Term?

According to Benjamin Wright, Attorney and SANS Institute instructor, Law
of Data Security & Investigations, words such as “breach,” “incident” and
“vulnerability” are subject to much interpretation.

“An event might look like a breach at first,” he explained, “but it may
look differently upon more careful examination. The quantities of evidence
that might be relevant to an investigation can be enormous. Experts can
disagree about which evidence (logs, alarms and so on) is relevant and
which is not.”

There are legal definitions for these terms. However, Wright pointed out,
laws such as GDPR often attempt to define these words, but those
definitions are according to subjective standards. “For example, under GDPR
and some breach notice laws in the United States, a ‘breach’ means that
something has happened that has caused a high risk of harm to individuals,”
he said.

Making it more complicated is that even experts can’t always agree on what
makes something a data breach or a vulnerability, or something more benign.

“Two different teams of experts can look at the same facts and reach
different conclusions about whether individuals face a high risk of harm,”
said Wright. “Much depends upon subjective evaluation of the facts.
Different experts will place more emphasis on this fact versus another
fact.”

Reporting Incidents Should Focus on the Details

Reporting the details of a security incident as accurately as possible is
imperative, said Jeff Dennis, an attorney specializing in cybersecurity
issues and a partner at Newmeyer & Dillion. These details will have a
direct impact on a number of areas related to a security incident, such as
regulated notification requirements and insurance coverage.

“The type of data breach will impact what, if any, notification is
required,” said Dennis. “For instance, in California, an electronic data
breach in excess of 50 impacted individuals requires both notification to
the affected individuals, but also the California Attorney General.
However, if paper data is solely compromised, no such requirement exists.”
Here, the language used impacts notification regulations.

Another issue is whether a company has insurance to cover any exposure
arising from the incident. “How an incident is described will likely have a
direct impact on whether insurance coverage is afforded or not,” Dennis
explained. “For example, whether a breach is an actual breach or a
potential breach may impact coverage.”

And, of course, GDPR has made everything more complicated. GDPR guidelines
require companies to examine the likelihood and severity of the potential
impact of a data breach on covered “subjects” or individuals. For example,
GDPR requires organizations review the specific type of breach that has
occurred and the nature, sensitivity and volume of personal data that has
been compromised.

“These are only two of the numerous considerations that must be weighed,”
said Dennis, “but they are used to illustrate a very specific point: The
accuracy of the language used to describe a security incident is paramount
to proper compliance with GDPR. The language used to describe the incident
will impact the rights of the individuals involved, the responsibilities of
the offending company, notification requirements and potential consequences
for the security incident.”

Words matter in cybersecurity. Using the wrong words could end up costing
you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180619/550535a6/attachment.html>