Are all data breaches negligible unless proven catastrophic?
…or are they far more prevalent and significant than some would have you believe?
That depends. What do we mean by “data breach”? According to the bastion of impartiality that is Wikipedia.com, it is defined as:
A data breach is the intentional or unintentional release of secure or private/confidential information to an untrusted environment.
Not “authoritative” enough for you? According to the Cambridge University Dictionary a data breach is:
an occasion when private information can be seen by people who should not be able to see it
The venerable Macmillan English Dictionary for Advanced Learners simply defines a breach of security:
a situation in which someone gets into a place that is usually guarded, or discovers information that should be kept secret
So breaches don’t have to be committed by bad guys? Go figure! The federal Privacy Commissioner of Canada tackles the challenge this way:
A breach of security safeguards is defined in <federal private sector law> as the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards or from a failure to establish those safeguards.
Ah, so breaches may not even be caused by anyone other than an organization’s failure to establish those safeguards? In that case, forget malice. The breached organization can accomplish the feat through incompetence or simply an absence of security. Nice!
Imperva, a company whose own data breach compromised scores of clients, including school boards and edtech companies, simply relies on the Wikipedia definition, though they tend to avoid reminding people of their own failures.
Moving on, if Wikipedia is good enough for everyone else, it’s good enough for us. The free encyclopedia goes on to say:
A data breach may include <…> posting such information on the world wide web or on a computer otherwise accessible from the Internet without proper information security precautions
Needless to say, organizations whose own negligence represents the fundamental reason for the damage done to their customers are often quick to point out that the data breach, if you insist on calling it that, was entirely the brainchild of ill-intentioned, faceless attackers. And if they feel particularly ambitious, they go the extra mile to downplay the damage by using comforting language to imply that not much data was lost, anyway.
And so it was that in the case of a recent data breach impacting 1000 New York City students, notification letters were quick and consistent in claiming that the data was seen by only a single NYC student, ostensibly the one who discovered the breach in the first place.
A similar situation unfolded in the case of a recent Privacy Commissioner investigation into a data breach involving up to 123,000 students and an improperly protected edtech system.
Our investigation identified that the only breach associated with this vulnerability flowed from the complainant’s own actions, which did not result in a real risk of significant harm.
And so it is that by shrewdly appealing to the philosophical challenge of proving a negative that negligent parties can use their own inability or unwillingness to detect breaches, to place the burden of proof on the public.
And yet the test is not whether the data has been stolen (which of course it has) nor whether its new custodians will use it for profit (which of course they will) but simply that one must be willing to consider a worst case scenario: a real risk of significant harm, as written in federal law. It is only this simple test that needs considering and nothing else. And yet…
In the presence of organizations with all the confidence and charisma of a medieval mountebank or contemporary pillow peddler, authorities with neither the training nor the necessary information to make an informed decision simply fold, pack up their tent and go home.
In persons grafted in a serious trust, Negligence is a crime. — William Shakespeare
With this paraphrased statement, Shakespeare did not quite go far enough, for the mere quest for a well-turned, unfalsifiable statement irredeemably reduces the once trusted custodian to the level of the illegitimate one.
