[BreachExchange] Has the word ‘breach’ has outlived its usefulness?

[Destry Winant]

https://www.csoonline.com/article/3322908/data-breach/has-the-word-breach-has-outlived-its-usefulness.html

Security is an industry that changes rapidly, as should its
terminology. Given the speed with which technology and its context
evolves, it comes as no surprise that words that were once sufficient
to express a security concept may before long cease to be useful in
that same capacity. After a few significant, high profile privacy
gaffes in the last few years, the word “breach” may either need to be
expanded or replaced.

What is a breach?

A quick search for definitions of the word “breach” result in a few
different, relevant options:

A gap made by breaking through a wall, barrier, or defense.
Breaking or failing to observe a law, standard, agreement, or code of conduct.

In a security context, “breach” has historically tended to fit the
first meaning, though companies are often fined for being in violation
of regulations after a breach. That said, recent privacy gaffes seem
to be expanding the security-specific version to include violations of
informal expectations of appropriate conduct as well.

It may seem that, since both meanings fit comfortably within the
English definition of the word, this is fine. But arguably, this just
dilutes the meaning and makes it less clear what transpired, or what
actions should be taken in the aftermath. Very different actions and
reactions may seem appropriate, depending on what type of incident
occurred, and whether there’s evidence that attackers accessed
sensitive data.

Broadening the definition

For the purposes of this post let’s clarify that I’m talking about
three different scenarios: breach types 1, 2 and 3. The strictest –
and most widely accepted – definition I’ve seen of “breach” is that a
gap was found in a defense, and that attackers accessed or exfiltrated
data. We’ll call this breach Type 1.

Something I’ve also heard included in the definition of breach is
where a gap was made or found, but that no unauthorized parties
accessed data. The organization in question is announcing that they’ve
found and fixed a problem before any damage could be done. We’ll call
this breach Type 2.

The most rare and problematic definition is a privacy blunder that
fits the second definition above, rather than the first. This variety
also does not actually require an attacker; customer data was
intentionally exposed. We’ll call this breach Type 3.

The implication for the first two types of breach is that an attack –
or accident – happened. The company that was breached, even if found
to be criminally negligent in failing to maintain adequate defenses,
is generally considered to be the victim of a crime. In Type 1,
customers are also victimized. The expected response after such
incidents is for the company to address the gap, pay for credit
monitoring when appropriate, and to apologize to customers who can now
take steps to protect themselves.

An example of Type 3 would be a company failing to adhere to
acceptable standards of care with regards to customers’ sensitive
data. The usual response to the discovery of this type of incident –
though it’s the most problematic and reprehensible one – is for the
company to argue that it’s not actually a problem, because this
scenario was spelled out within the End User License Agreement (EULA).
Customers have little recourse against this type of breach because it
often deals with “marketing data”, which may or may not be personally
identifiable. This doesn’t make the violation of privacy any less
impactful, however.

Type 2 is almost a “breach-lite”, because a company is being proactive
and transparent about a potential problem that was found and fixed.
The end result of this sort of announcement tends to be an overall
improvement in customer trust.

Types 1 and 3 are more problematic and tend to result in long-term
damage to an organization’s image. In the worst-case scenario of
either Type 1 or 3, companies are playing fast and loose with data
that have been entrusted to them. But it’s still worthwhile to draw a
clear line between the two different types of event

How definitions inform our response

The distinction between failing to make the necessary investments to
adequately protect our data and deciding that our PII is their
resource to do with as they wish, may seem slight. But the difference
is significant in what it tells us about future behavior.

One of these is an act of omission and apologies are often swift; the
other is an act of commission and is often vigorously defended before
any apologizing occurs. It’s reasonable for customers to be wary after
Type 1, but eventually to trust again if the company proves that it
has improved its defenses. It’s also reasonable, after Breach 3, for
customers to have a much greater feeling of distrust; this sort of
incident shows that a company’s business model may be at odds with
protecting our privacy.