In the complex landscape of data privacy, state and federal laws regulating data breaches often present contrasting and overlapping definitions. But what precisely constitutes a "data breach"? Generally, it's an incident where confidential or protected information—ranging from personal data like names, Social Security numbers, and health information to confidential business records—is accessed, taken, or used without authorization. However, the specific definition of a breach under data privacy laws varies across jurisdictions and industries. Cybersecurity and data privacy attorney Michelle Reed sheds light on the nuances involved in classifying a cybersecurity incident as a breach according to legal standards. Despite the variability across jurisdictions, even minor differences in these definitions are significant, potentially triggering the urgent timelines for notification requirements.
Reed explains how, while large companies can face thousands of incidents, they may experience relatively few breaches, highlighting the critical role of robust security measures and informed data management in preventing unauthorized access from escalating. This approach underscores a proactive stance on cybersecurity, where knowing one's "crown jewels" and implementing layers of protection are paramount.
Determining whether a breach occurred can involve more than an examination of the type of data involved. For example, determining whether data was accessed versus exfiltrated can determine whether to classify an incident as a breach in certain jurisdictions and for certain industries. As Reed articulates, the evolving landscape of data protection regulations, including potential expansions in definitions by bodies like the SEC, presents new challenges and considerations for businesses evaluating which incidents require reporting as a data breach.
Michelle Reed is a partner at the law firm Akin Gump and the co-head of the firm's cybersecurity, privacy and data protection practice.
General Data Protection Regulation (GDPR)
Gramm-Leach-Bliley Act (GLBA)
3. California Consumer Privacy Act (CCPA)
4. Health Insurance Portability and Accountability Act (HIPAA)
Joel Cohen: Given the various state and federal laws regulating data breaches and the obligations they trigger, how are data breaches defined?
Michelle Reed: It's a great question. A breach is going to depend on the law that is applicable. You and I may use "breach" colloquially and say, "Okay, this is a breach because there was someone able to get into our systems; there was a breach of our systems." And so, you can think of it in that way. I prefer not to use that term; I usually use the term "security incident" because it's usually deemed an incident by the time I get involved, and unless and until I determine that personal data of specific individuals in specific jurisdictions are impacted, I don't classify it as a data breach. And that's really important because there are implications once you learn that you have personal data that is regulated by either state or federal statute that is implicated. Then, you suddenly are on clocks for notifying regulators like State Attorneys General or OCR or whoever it may be that you're providing notice to.
Joel Cohen: I'm imagining if someone hacked into your system, got past the digital moat and some of the digital walls that you're talking about, but never actually made it into the treasure troves of personal information. That would be an incident but not a breach?
Michelle Reed: That's exactly right. And that happens all the time. In fact, I have companies that have thousands and thousands of incidents but very, very few breaches. And that's important because you're never going to be able to have it be perfect. You're going to utilize subcontractors or vendors or software that has a problem that may have some sort of zero-day vulnerability or other vulnerability that you weren't aware of, and you're going to have incidents. But that's why you put other controls in place to prevent it from becoming a breach, which means you need to know what your important data is, whether it's information about consumers or investors or whoever, employee personal data. You need to know that; you need to know what your crown jewels are and where they are located. If you have trade secrets or if you have trading algorithms or if you have things that you don't want anyone seeing, you want to protect it so that there's a bunch of different hurdles. And so, like you said, you have your moat, you have your wall, you have a ton of different things. You want to make sure that if someone gets in over here, they're not able to traverse all the way to over here where we keep the crown jewels.
Joel Cohen: So, I shouldn't have all my customer, vendors, bank accounts, email accounts all as "password123"?
Michelle Reed: No, please don't have "password123". I can tell you one of my least favorite breaches I had was one where the help desk issued the same password. So, when someone would reset a password, they would do that "password123", and ultimately when they had a breach, they were able to move so quickly through the network because they were able to access everybody who called in, which was, I mean, at the time, it was like a third of the employees at one time or another had issued passwords, and they just never reset. They didn't require a reset. The help desk was sending the wrong passwords in. Now, I would say most people are beyond that kind of poor cyber hygiene at this point in life. And frankly, most of the breaches that I've seen recently have been highly sophisticated. I'm telling you, you would never know that it was a threat actor that was doing what they were doing when they compromise information.
Joel Cohen: A couple more questions about what makes a breach a breach. Is there a significance threshold? Is it a breach if someone was able to just see, I don't know, how many customers you have or first names of customers?
Michelle Reed: For sure, that's a great question, and a complicated one. The answer is it depends. It depends on what industry you're in. So, if I'm representing a hospital and I see a list of patients, that's protected health information. Now, could I, you know, there are some things that you can do to assess risk of harm, and they have the four factors test on the healthcare side that enable you to get out of a notification, but is it still considered an incident that's ultimately a breach of protected health information? Yes. You may get out of having to provide a notification, but, for example, with investment advisors, you're subject to GLBA if you're a federally regulated entity. And entities that are subject to Gramm-Leach-Bliley have a very broad definition of non-public personal information, NPI. And NPI includes just the association. So, if I have an investment fund and an investor, simply that information alone is protected NPI. Now, does that require notice? Most of the time, the answer to that question is no, and it's really if it has that more sensitive personal information. But I'll note that the SEC is considering, and is likely to come out with, some rules that are probably going to be a little bit broader than the state law definitions, and that is where we're going to see, I think, a lot of concern and consideration that's going to need to go into the analytics of what data was truly impacted and does it require notice.
Joel Cohen: One other thing that differentiates is if they just accessed it or if they exfiltrated, they took the data. So, did I just see the data, or did I actually take the data? There are some laws that say you have to take the data in order to have a notification obligation, and there's others that say if you had access to it alone, that's sufficient. It may be, "Oh, they had access to this folder," and, you know, realistically, during that 1-hour window, they wouldn't have been able to scroll through the quantity of documents in there. So then, how do you treat the 100,000-page folder where someone had limited access to it?
Michelle Reed: That's exactly right. I mean, you'll see like you'll see share drives that are accessed that have, you know, a terabyte of data, and they only accessed it for 5 minutes. So, does that mean that everything is considered exfiltrated and notice dependent? My answer is it depends. Let me find out what's in there, what state you're in, and what business you're in, and it may or may not be.