Security is an industry that changes rapidly, as should its terminology. Given the speed with which technology and its context evolves, it comes as no surprise that words that were once sufficient to express a security concept may before long cease to be useful in that same capacity. After a few significant, high profile privacy gaffes in the last few years, the word \u201cbreach\u201d may either need to be expanded or replaced.What is a breach?A quick search for definitions of the word \u201cbreach\u201d result in a few different, relevant options:A gap made by breaking through a wall, barrier, or defense.Breaking or failing to observe a law, standard, agreement, or code of conduct.In a security context, \u201cbreach\u201d has historically tended to fit the first meaning, though companies are often fined for being in violation of regulations after a breach. That said, recent privacy gaffes seem to be expanding the security-specific version to include violations of informal expectations of appropriate conduct as well.It may seem that, since both meanings fit comfortably within the English definition of the word, this is fine. But arguably, this just dilutes the meaning and makes it less clear what transpired, or what actions should be taken in the aftermath. Very different actions and reactions may seem appropriate, depending on what type of incident occurred, and whether there\u2019s evidence that attackers accessed sensitive data.Broadening the definitionFor the purposes of this post let\u2019s clarify that I\u2019m talking about three different scenarios: breach types 1, 2 and 3. The strictest \u2013 and most widely accepted \u2013 definition I\u2019ve seen of \u201cbreach\u201d is that a gap was found in a defense, and that attackers accessed or exfiltrated data. We\u2019ll call this breach Type 1.Something I\u2019ve also heard included in the definition of breach is where a gap was made or found, but that no unauthorized parties accessed data. The organization in question is announcing that they\u2019ve found and fixed a problem before any damage could be done. We\u2019ll call this breach Type 2.The most rare and problematic definition is a privacy blunder that fits the second definition above, rather than the first. This variety also does not actually require an attacker; customer data was intentionally exposed. We\u2019ll call this breach Type 3.The implication for the first two types of breach is that an attack \u2013 or accident \u2013 happened. The company that was breached, even if found to be criminally negligent in failing to maintain adequate defenses, is generally considered to be the victim of a crime. In Type 1, customers are also victimized. The expected response after such incidents is for the company to address the gap, pay for credit monitoring when appropriate, and to apologize to customers who can now take steps to protect themselves.An example of Type 3 would be a company failing to adhere to acceptable standards of care with regards to customers\u2019 sensitive data. The usual response to the discovery of this type of incident \u2013 though it\u2019s the most problematic and reprehensible one \u2013 is for the company to argue that it\u2019s not actually a problem, because this scenario was spelled out within the End User License Agreement (EULA). Customers have little recourse against this type of breach because it often deals with \u201cmarketing data\u201d, which may or may not be personally identifiable. This doesn\u2019t make the violation of privacy any less impactful, however.Type 2 is almost a \u201cbreach-lite\u201d, because a company is being proactive and transparent about a potential problem that was found and fixed. The end result of this sort of announcement tends to be an overall improvement in customer trust.Types 1 and 3 are more problematic and tend to result in long-term damage to an organization\u2019s image. In the worst-case scenario of either Type 1 or 3, companies are playing fast and loose with data that have been entrusted to them. But it\u2019s still worthwhile to draw a clear line between the two different types of eventHow definitions inform our responseThe distinction between failing to make the necessary investments to adequately protect our data and deciding that our PII is their resource to do with as they wish, may seem slight. But the difference is significant in what it tells us about future behavior.One of these is an act of omission and apologies are often swift; the other is an act of commission and is often vigorously defended before any apologizing occurs. It\u2019s reasonable for customers to be wary after Type 1, but eventually to trust again if the company proves that it has improved its defenses. It\u2019s also reasonable, after Breach 3, for customers to have a much greater feeling of distrust; this sort of incident shows that a company\u2019s business model may be at odds with protecting our privacy.