Data breaches were not going to stop just because the European Union’s General Data Protection Regulation (GDPR) went into effect May 25. One of the first ones to happen since the compliance regulations went live happened June 3, when event ticketing company Ticketfly was hacked and taken offline. It was since revealed Ticketfly suffered a data breach that resulted in more than 27 million accounts compromised.
No word yet if Ticketfly falls under GDPR rules—the company primarily deals with events in the United States, so it is uncertain whether it has EU customers—but the official statement does not include the term “data breach.” Rather, it refers to the attack as a “cyber incident” and notes the information of its customers was accessed.
Was this terminology incidental? Probably not. The words we use in regard to cybersecurity are important, especially now with GDPR.
A Breach Is Not Always a Breach
“Data breach” has long been the catch-all term for virtually any cyberincident. The average user understands the general concept of a breach, but doesn’t always realize that there are a variety of cyberattacks that don’t result in a data breach. Ransomware, for instance, encrypts files and makes them inaccessible until the ransom is paid, but often, the files themselves aren’t opened and the data is never breached. Yet, when reported, ransomware attacks are almost always equated with data breach. Something happened to the data; therefore, it was breached.
However, using it as a generic term can turn into a legal headache. Using breach when it wasn’t one at all could open up your organization to fines, compliance violations and more.
What Is the Right Term?
According to Benjamin Wright, Attorney and SANS Institute instructor, Law of Data Security & Investigations, words such as “breach,” “incident” and “vulnerability” are subject to much interpretation.
“An event might look like a breach at first,” he explained, “but it may look differently upon more careful examination. The quantities of evidence that might be relevant to an investigation can be enormous. Experts can disagree about which evidence (logs, alarms and so on) is relevant and which is not.”
There are legal definitions for these terms. However, Wright pointed out, laws such as GDPR often attempt to define these words, but those definitions are according to subjective standards. “For example, under GDPR and some breach notice laws in the United States, a ‘breach’ means that something has happened that has caused a high risk of harm to individuals,” he said.
Making it more complicated is that even experts can’t always agree on what makes something a data breach or a vulnerability, or something more benign.
“Two different teams of experts can look at the same facts and reach different conclusions about whether individuals face a high risk of harm,” said Wright. “Much depends upon subjective evaluation of the facts. Different experts will place more emphasis on this fact versus another fact.”
Reporting Incidents Should Focus on the Details
Reporting the details of a security incident as accurately as possible is imperative, said Jeff Dennis, an attorney specializing in cybersecurity issues and a partner at Newmeyer & Dillion. These details will have a direct impact on a number of areas related to a security incident, such as regulated notification requirements and insurance coverage.
“The type of data breach will impact what, if any, notification is required,” said Dennis. “For instance, in California, an electronic data breach in excess of 50 impacted individuals requires both notification to the affected individuals, but also the California Attorney General. However, if paper data is solely compromised, no such requirement exists.” Here, the language used impacts notification regulations.
Another issue is whether a company has insurance to cover any exposure arising from the incident. “How an incident is described will likely have a direct impact on whether insurance coverage is afforded or not,” Dennis explained. “For example, whether a breach is an actual breach or a potential breach may impact coverage.”
And, of course, GDPR has made everything more complicated. GDPR guidelines require companies to examine the likelihood and severity of the potential impact of a data breach on covered “subjects” or individuals. For example, GDPR requires organizations review the specific type of breach that has occurred and the nature, sensitivity and volume of personal data that has been compromised.
“These are only two of the numerous considerations that must be weighed,” said Dennis, “but they are used to illustrate a very specific point: The accuracy of the language used to describe a security incident is paramount to proper compliance with GDPR. The language used to describe the incident will impact the rights of the individuals involved, the responsibilities of the offending company, notification requirements and potential consequences for the security incident.”
Words matter in cybersecurity. Using the wrong words could end up costing you.