A Simple Data Breach Guide (Interpreting GDPR)

Perhaps it’s too melodramatic to claim that the debate over how to define a data breach “rages on” because we haven’t seen bodies flying out of windows yet, but it is a serious question with genuine financial ramifications now that the General Data Protection Regulation (GDPR) and its accompanying fines for mishandling data have arrived to save (and sometimes confuse) the day.

The media and splashy headlines don’t help. To the average media outlet, if it involves data and sounds like news, it’s a breach. So before you form a suitably vile opinion of the heritage of the Regulation’s creators, let’s calm down and take a dispassionate look at the GDPR thought process as it went about placing firm rules on a nebulous topic.

Is it a breach, or isn’t it?

If life were so simple as to abide by cut and dried definitions, this article wouldn’t be necessary. But it’s not simple, and it is necessary. While most cybersecurity organizations would likely agree that a data breach involves some act of removing data from or viewing it on a system without permission, there is no all-knowing Data Breach Police Force to impose a definition.

The closest we can come is the aforementioned GDPR because this organization has vested in itself the power to levy substantial fines on those who run afoul of the data protection dictates. Since the powers-that-be behind this new regulation currently swing a hefty stick, let’s analyze how they define a personal data breach.

First, the big picture view:

“A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.”

GDPR goes on to clarify that a data breach is a type of security incident but that not (Read more...)