The language of data privacy: Breaches, leaks, losses, and more

Billions of accounts and individual users have been compromised through data breaches and leaks. The types of data exposed in these incidents represent different levels of danger to the victims. Companies, schools, governments, and other entities have different levels of liability depending on the type and amount of data lost, and whether there was any violation related to how data was protected.

There is no federal privacy law in the United States that covers all types of data. We have a patchwork of federal, state, and industry/association regulations, which is unfortunate because it creates uncertainty around the rights and responsibilities of data privacy.

Data exposure classifications

Any legislatively mandated response to a data compromise will define the events being regulated. These definitions may vary, but exposure events will often break down into data breaches, data leaks (or leakage), or data loss. These are commonly used terms with a widely shared understanding.  

• The term data breach refers to an exposure caused by an intentional attack. When a threat actor gets into your system to pull data out, that is a breach. It doesn’t matter how the threat actor gets in. Any intentional act of entering the data system and stealing what’s there is a data breach.
• A data leak doesn’t require an intentional theft of data. The only thing necessary to trigger a leak is that the data be visible to unauthorized users. Data can be exposed through a misconfigured application, inappropriate permissions, or any kind of employee mistake that results in the data being shared outside of the intended group of users.
• Data loss is an event that occurs when valuable or sensitive data is destroyed or otherwise cannot be retrieved. Data loss can occur through physical system damage, file corruption, and accidental deletion. The term also refers to data that is encrypted or stolen by a threat actor. This term is probably the least agreed-upon of the three. Some consider data loss to describe only incidents that involve data destruction, while others consider it to include any incident that removes any of your sensitive data from your control.

Most of the time there is more than one classification in the picture. A data leak can lead to both a loss and a breach. A breach can result in data loss (looking at you, ransomware). And the restore/recovery process from data loss could inadvertently result in data leaks.

Using HIPAA to illustrate the differences

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulates how health information and protected health information (PHI) is protected. HIPAA intends to protect a patient’s privacy while allowing health care professionals to coordinate with other providers and participate in medical research using de-identified data. HIPAA includes Privacy, Security, and Breach Notification rules.

I am not an expert in HIPAA or any other regulations. The language in HIPAA just helps us illustrate different types of exposure events.

Data breach vs. data leak

The Breach Notification rule defines a breach as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.”  

The rule states that any “impermissible use or disclosure” is a breach unless the HIPAA-covered entity or business associate can show a low probability that PHI was compromised. There are four factors to consider in that probability assessment, including “whether the protected health information was actually acquired or viewed.” HIPAA doesn’t make the distinction, but we might refer to such an incident as a data leak. A data leak does not require the same response as a data breach.

Data breach vs. data loss

Under the Privacy Rule, breach notifications are only required if the breach involved unsecured PHI.

"Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in guidance. …

The guidance … specifies encryption and destruction as the technologies and methodologies for rendering protected health information unusable, unreadable, or indecipherable to unauthorized individuals." 

This could be an example of data loss rather than data breach. The donation of a retired file server with PHI on the hard drive might not be a breach if the file type is unreadable without the application of origin.  This might not be an accurate interpretation of the HIPAA Breach Notification rule, but it’s a good illustration of how protected data could be transferred to unauthorized personnel without being considered a data breach.  

Why this matters

There are competing interests at work when it comes to data privacy. This isn’t always the intention, but that’s how it works out in many cases. Whatever your interests may be, you should understand where they fit into the bigger picture.

Business leaders need to understand their regulatory environment and compliance responsibilities. The company may be able to contain costs surrounding a data exposure incident if they have expert guidance in this area. Legal counsel and other subject matter experts should be consulted for this. Chambers of Commerce and other business associations often host events on these topics and can sometimes connect a company with a trusted resource.

Individual consumers should be aware that exposure of data might not trigger a notification or any particular response on the part of the compromised entity. It is also helpful for the public to understand that a data leak might be discovered and fixed, without the data ever being seen by a third party. Data privacy can be a frustrating subject for consumers because it’s buried in small print and legal language that can’t be negotiated. Understanding the language of data privacy helps consumers understand and exercise their rights.

Researchers need full visibility into the incidents that cause data exposures. Earlier this week we talked about the lack of information about health care ransomware attacks. The absence of comprehensive reporting masks the full scope of the issue and deprives us of any insights that might be gained. Furthermore, our legislative environment might not be nimble enough to adapt as needed. Health care researchers have speculated that breaches were late or unreported due to the confusion around ransomware and the notification rule. Health care researchers have suggested that confusion around ransomware and the Breach Notification rule led to some data breaches being misclassified and unreported.   

Legislators and policymakers are expected to make data-driven decisions. It isn’t possible to make the best-informed decisions when you don’t have the best possible data. Legislators generally want to protect consumers without creating unnecessary burdens on companies. They are in a better position to do that when they have access to all relevant information.

What’s next?

The next step is to make sure you have unique passwords everywhere. This is always the next step and it’s never off-topic. You can also check the breach database to see if your email or password has been compromised.

Information on data privacy is available from the Cybersecurity & Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST), the Federal Trade Commission (FTC), and many more public, private, and educational institutions.

Finally, keep coming back for more on this topic. We’ll have another data privacy post in the next couple of weeks.