Image courtesy of Bargaineering
There seems to be a lack of distinction between a data breach and a security incident in the media of late. While many of the publicized security incidents are true data breaches, some are not. Data breaches are a serious type of security incident that involves the release of personally sensitive, protected and/or confidential data, such as social security numbers and personal health records. There are other types of security incidents, such as impersonation, denial of service and website defacement that don’t involve the theft of sensitive personal data and are very different in the eyes of the law and for purposes of regulatory compliance.
The fine point here is that organizations are not required to report many security incidents, but they are required by law to follow particular procedures in the case of data breaches. Now, there is some controversy over responsibility of public disclosure of security incidents, and the SEC appears to be thinking about a disclosure framework, but it’s not a requirement…yet.
While there are prescribed processes to handle data breaches, compliance is rather complicated as they vary from state to state, and country to country. The state of California, for example, has especially specific timeframes and processes that are required in handling data breaches. Other states do not.
This situation of varying and inconsistent treatment of data breaches is getting politicians involved, with the notion of federal standards on data breach notifications being debated. The standardized data breach notification laws under consideration may also put more emphasis on sensitive data encryption, security monitoring and employee training. Lawmakers might also address “the blame game”, as there appears to be quite a bit of bickering going on between banks and retailers as to who is to blame for data breaches.
Interestingly, CEOs seem more likely to lose their jobs over data breaches than other security incidents. This is not to say that other types of security incidents are not critical – it’s just that, at this point at least, companies are not forced to provide the “indecent exposure” information in some other types of security incidents – affecting C level executive jobs and stock price.
Even if you’re not a CEO, if you’re in IT or in contact with sensitive personal data, it’s one heck of a liability. And with lawyers and politicians becoming increasingly involved, it appears that the situation will only get more stressful, and perhaps include mandatory disclosure of other types of security incidents.