Just catching up on a quick story that's circulating (if you read the news like I do) on what is being called a data breach ...but is it?
The headline is "Santander Leaks 22,600 Account Details [source: computing.co.uk]" - but at what point does the line between accidental disclosure (or an "error") turn into a data breach?
I think the discussion needs to be had, and while Santander is doing the responsible thing here, when it comes to data breach laws in the US, how do we treat this? Where is the line drawn between "accidental disclosure" which is just that, accidental, and a data breach which is the result of negligence?
It would seem the entire discussion is based on cause, and whether the cause was "an accident in spite of due diligence" or rather "a result of a lack of appropriate measures" ...what concerns me is this text from the article-
The ICO confirmed that it will be investigating the breach.
"We have recently been informed of a data breach involving Santander. We will be making enquiries into the circumstances of the apparent breach of the Data Protection Act before deciding what action, if any, needs to be taken," said an ICO spokesperson.
"Under the Data Protection Act, organisations that process personal information have an obligation to keep it secure; therefore, it is a matter of concern if information such as account details have been incorrectly provided to the wrong recipient," they added.
So we turn to trying to figure out how to draw a line on intent ...and that's a very difficult thing.