When someone says a data breach has happened, it’s generally understood to mean that attackers have broken into a company and stolen sensitive information. But after a growing number of high-profile privacy gaffes, the definition of “breach” is being stretched to the breaking point. Credit: Getty Images Security is an industry that changes rapidly, as should its terminology. Given the speed with which technology and its context evolves, it comes as no surprise that words that were once sufficient to express a security concept may before long cease to be useful in that same capacity. After a few significant, high profile privacy gaffes in the last few years, the word “breach” may either need to be expanded or replaced.What is a breach?A quick search for definitions of the word “breach” result in a few different, relevant options:A gap made by breaking through a wall, barrier, or defense.Breaking or failing to observe a law, standard, agreement, or code of conduct.In a security context, “breach” has historically tended to fit the first meaning, though companies are often fined for being in violation of regulations after a breach. That said, recent privacy gaffes seem to be expanding the security-specific version to include violations of informal expectations of appropriate conduct as well.It may seem that, since both meanings fit comfortably within the English definition of the word, this is fine. But arguably, this just dilutes the meaning and makes it less clear what transpired, or what actions should be taken in the aftermath. Very different actions and reactions may seem appropriate, depending on what type of incident occurred, and whether there’s evidence that attackers accessed sensitive data. Broadening the definitionFor the purposes of this post let’s clarify that I’m talking about three different scenarios: breach types 1, 2 and 3. The strictest – and most widely accepted – definition I’ve seen of “breach” is that a gap was found in a defense, and that attackers accessed or exfiltrated data. We’ll call this breach Type 1.Something I’ve also heard included in the definition of breach is where a gap was made or found, but that no unauthorized parties accessed data. The organization in question is announcing that they’ve found and fixed a problem before any damage could be done. We’ll call this breach Type 2. The most rare and problematic definition is a privacy blunder that fits the second definition above, rather than the first. This variety also does not actually require an attacker; customer data was intentionally exposed. We’ll call this breach Type 3.The implication for the first two types of breach is that an attack – or accident – happened. The company that was breached, even if found to be criminally negligent in failing to maintain adequate defenses, is generally considered to be the victim of a crime. In Type 1, customers are also victimized. The expected response after such incidents is for the company to address the gap, pay for credit monitoring when appropriate, and to apologize to customers who can now take steps to protect themselves.An example of Type 3 would be a company failing to adhere to acceptable standards of care with regards to customers’ sensitive data. The usual response to the discovery of this type of incident – though it’s the most problematic and reprehensible one – is for the company to argue that it’s not actually a problem, because this scenario was spelled out within the End User License Agreement (EULA). Customers have little recourse against this type of breach because it often deals with “marketing data”, which may or may not be personally identifiable. This doesn’t make the violation of privacy any less impactful, however.Type 2 is almost a “breach-lite”, because a company is being proactive and transparent about a potential problem that was found and fixed. The end result of this sort of announcement tends to be an overall improvement in customer trust.Types 1 and 3 are more problematic and tend to result in long-term damage to an organization’s image. In the worst-case scenario of either Type 1 or 3, companies are playing fast and loose with data that have been entrusted to them. But it’s still worthwhile to draw a clear line between the two different types of eventHow definitions inform our responseThe distinction between failing to make the necessary investments to adequately protect our data and deciding that our PII is their resource to do with as they wish, may seem slight. But the difference is significant in what it tells us about future behavior. One of these is an act of omission and apologies are often swift; the other is an act of commission and is often vigorously defended before any apologizing occurs. It’s reasonable for customers to be wary after Type 1, but eventually to trust again if the company proves that it has improved its defenses. It’s also reasonable, after Breach 3, for customers to have a much greater feeling of distrust; this sort of incident shows that a company’s business model may be at odds with protecting our privacy. Related content opinion Of mice and malware Some of the most important training I got for a career in computer security research was not from a computer-related class, but in a biology class. While these two disciplines may seem entirely unrelated, the skills that are needed in both cases can By Lysa Myers Jul 03, 2019 6 mins Malware IT Skills Staff Management opinion Have we doubled the number of women in infosec? According to a recent (ISC)2 report, women now comprise 20% of cybersecurity workers. But without defining what jobs are being included, it’s unclear whether we’re truly making progress. By Lysa Myers Feb 11, 2019 5 mins Technology Industry IT Skills Staff Management opinion Stop training your employees to fall for phishing attacks Training your employees how to recognize and avoid phishing only works if trusted emails don’t look the same as criminals'. By Lysa Myers Jul 10, 2018 4 mins Phishing Social Engineering Security opinion Improving security with diversity beyond the checkbox Security and diversity mean being compliant and fair, but also mean you need to get the widest possible range of perspectives. By Lysa Myers Mar 20, 2018 4 mins Staff Management Careers Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe