Friday, December 24, 2010

The Invisible Line Between "Error" and "Data Breach" ...

Just catching up on a quick story that's circulating (if you read the news like I do) on what is being called a data breach ...but is it?

The headline is "Santander Leaks 22,600 Account Details [source:]" - but at what point does the line between accidental disclosure (or an "error") turn into a data breach?

I think the discussion needs to be had, and while Santander is doing the responsible thing here, when it comes to data breach laws in the US, how do we treat this?  Where is the line drawn between "accidental disclosure" which is just that, accidental, and a data breach which is the result of negligence?

It would seem the entire discussion is based on cause, and whether the cause was "an accident in spite of due diligence" or rather "a result of a lack of appropriate measures" ...what concerns me is this text from the article-

The ICO confirmed that it will be investigating the breach.
"We have recently been informed of a data breach involving Santander. We will be making enquiries into the circumstances of the apparent breach of the Data Protection Act before deciding what action, if any, needs to be taken," said an ICO spokesperson.
"Under the Data Protection Act, organisations that process personal information have an obligation to keep it secure; therefore, it is a matter of concern if information such as account details have been incorrectly provided to the wrong recipient," they added.

So we turn to trying to figure out how to draw a line on intent ...and that's a very difficult thing.


Alex said...


Just in case you're interested...

Because we're mostly concerned with mining data breaches for risk management purposes, we (Verizon Risk Dudes) consider error a potential primary or contributing cause of a data breach as we classify data breaches.

So in our little world, the fact that confidentiality, integrity, or availability (we actually use Donn Parker's Hexad, but that's a minor detail) was lost or impacted is the reason to be concerned enough to study or examine the case, where error is a(mong the) cause(s).

Personally, I think that's important because there is rarely a "root cause" in security incidents, but rather several causes that create loss. The frequency with which error shows up is really interesting.

Scott said...

In my opinion, intent shouldn't be relevant with regards to the exposure of data. Either the data fell into (or was made available to) unauthorized hands or it didn't. Perhaps the criminal penalties should differ depending on whether the provider or an intruder committed the breach, but that would be the only distinction.