Has the word ‘breach’ has outlived its usefulness?

Security is an industry that changes rapidly, as should its terminology. Given the speed with which technology and its context evolves, it comes as no surprise that words that were once sufficient to express a security concept may before long cease to be useful in that same capacity. After a few significant, high profile privacy gaffes in the last few years, the word “breach” may either need to be expanded or replaced.

What is a breach?

A quick search for definitions of the word “breach” result in a few different, relevant options:

1. A gap made by breaking through a wall, barrier, or defense.
2. Breaking or failing to observe a law, standard, agreement, or code of conduct.

In a security context, “breach” has historically tended to fit the first meaning, though companies are often fined for being in violation of regulations after a breach. That said, recent privacy gaffes seem to be expanding the security-specific version to include violations of informal expectations of appropriate conduct as well.

It may seem that, since both meanings fit comfortably within the English definition of the word, this is fine. But arguably, this just dilutes the meaning and makes it less clear what transpired, or what actions should be taken in the aftermath. Very different actions and reactions may seem appropriate, depending on what type of incident occurred, and whether there’s evidence that attackers accessed sensitive data.

Broadening the definition

For the purposes of this post let’s clarify that I’m talking about three different scenarios: breach types 1, 2 and 3. The strictest – and most widely accepted – definition I’ve seen of “breach” is that a gap was found in a defense, and that attackers accessed or exfiltrated data. We’ll call this breach Type 1.

Something I’ve also heard included in the definition of breach is where a gap was made or found, but that no unauthorized parties accessed data. The organization in question is announcing that they’ve found and fixed a problem before any damage could be done. We’ll call this breach Type 2.

The most rare and problematic definition is a privacy blunder that fits the second definition above, rather than the first. This variety also does not actually require an attacker; customer data was intentionally exposed. We’ll call this breach Type 3.

The implication for the first two types of breach is that an attack – or accident – happened. The company that was breached, even if found to be criminally negligent in failing to maintain adequate defenses, is generally considered to be the victim of a crime. In Type 1, customers are also victimized. The expected response after such incidents is for the company to address the gap, pay for credit monitoring when appropriate, and to apologize to customers who can now take steps to protect themselves.

An example of Type 3 would be a company failing to adhere to acceptable standards of care with regards to customers’ sensitive data. The usual response to the discovery of this type of incident – though it’s the most problematic and reprehensible one – is for the company to argue that it’s not actually a problem, because this scenario was spelled out within the End User License Agreement (EULA). Customers have little recourse against this type of breach because it often deals with “marketing data”, which may or may not be personally identifiable. This doesn’t make the violation of privacy any less impactful, however.

Type 2 is almost a “breach-lite”, because a company is being proactive and transparent about a potential problem that was found and fixed. The end result of this sort of announcement tends to be an overall improvement in customer trust.

Types 1 and 3 are more problematic and tend to result in long-term damage to an organization’s image. In the worst-case scenario of either Type 1 or 3, companies are playing fast and loose with data that have been entrusted to them. But it’s still worthwhile to draw a clear line between the two different types of event

How definitions inform our response

The distinction between failing to make the necessary investments to adequately protect our data and deciding that our PII is their resource to do with as they wish, may seem slight. But the difference is significant in what it tells us about future behavior.

One of these is an act of omission and apologies are often swift; the other is an act of commission and is often vigorously defended before any apologizing occurs. It’s reasonable for customers to be wary after Type 1, but eventually to trust again if the company proves that it has improved its defenses. It’s also reasonable, after Breach 3, for customers to have a much greater feeling of distrust; this sort of incident shows that a company’s business model may be at odds with protecting our privacy.