Data Breach
A data breach is the unlawful access of an organization’s or person’s data. Such breaches can have considerable consequences of a financial, legal, and reputational nature. Data breach is one of the three top threats that organizations and individuals should be aware of and protect against (the others are email based funds transfer frauds and ransomware).
Certain cybercriminals devote their efforts to committing data breaches. Data breaches are serious crimes under federal law and the law of every state. Indeed, even an unsuccessful attempt to commit a data breach is a crime. But when these cybercriminals are successful, the stolen data can be used to commit more crimes: theft, identity theft, and more. Our government needs to improve its criminal investigation into cybercrime to bring more offenders to justice and deter this rampant crime, but that is the subject of my book on cybercrime investigations, not this article.
Every person and organization wants to prevent a breach of their data, especially any information that is confidential, sensitive, or personal. And yet some fail to appreciate the cybercrime threats we all face, nor the potential consequences. But now there are increasing legal duties to protect against such crimes, recognizing that many organizations hold sensitive personal information relating to customers, clients, employees, and more. There are also legal duties to report certain data breaches to affected parties (those whose information was breached) and to the government. Every state now has these data breach reporting laws, and the purpose is to ensure the government and consumers are notified when their personal information is stolen. Without such requirements, many breached companies would simply keep it quiet.
Many states (and regulators) require “reasonable security”. That may be a vague requirement, but who can argue with the “reasonableness” of it? Indeed, what organization would ever want to proclaim that their security was below that standard — and risk being called “negligent”? Thus, organizations should focus on attaining and exceeding a level of reasonable cybersecurity, and resolve to continually improve their security program.
If there is a cybersecurity incident or data breach, certain things need to happen. There needs to be a reasonable investigation into what happened, to determine the facts. This can be time consuming, stressful, and costly. As in all areas, facts matter. Was data breached, which data, when, and how to prevent it from happening again. Based upon the facts, applicable laws need to be evaluated. Notification to affected parties and reporting to government might be required. That is a difficult position to be in, notifying others that your security was breached, and personal information compromised.
Summing up the above in simple terms, organizations need to achieve reasonable security, investigate a potential data breach, and then comply with any reporting obligations.
Each state and regulator has their own rules, and that can create some confusion. Terminology may vary, but remember that any rule can impost the above obligations, even if it is titled as a law relating to cybersecurity, information security, data breach, security breach, privacy, and more. Within each rule are sets of definitions and triggers for reporting. At their heart, they protect information which can be used to assume a victim’s identity, but they may call it it “Personal Identifying Information”, “Personal Information”, “Personal Data” or other term, and the definitions will vary.
How does an organization attain and exceed “reasonable security”? I recommend following (my) Bandler’s Four Pillars of Cybersecurity, having a cybersecurity policy, an incident response plan, following them, and looking for continual improvement.
This is a brief summary with some simplifications, attempting to bring complex subject matter to all readers in an understandable and accessible manner. I cite to this article and it is for myself, students, clients, potential clients, and others in need of information. It is not legal advice nor consulting advice, and is not tailored to your circumstances.
This article, plus some additional links and references, is also available on my website at https://johnbandler.com/data-breach.
Posted 11/2020.
