Ten or twelve years ago, IT security companies warned of the possibility of a catastrophic data breach, but there were far fewer real-world examples than there are today. Now, it seems that some new breach comes to light every week, sometimes more than one a week. Data breaches can affect a wide variety of data: customer and employee records, payroll data, intellectual property, strategic plans and more. In the modern digital economy, securing your data is more important than ever. But what’s the current thinking on how to define a data breach? Does ransomware count as a breach?
U.S. Federal Government Data Breach Definitions
The FBI defines a data breach as “A leak or spill of data, which is released from a secure location to an untrusted environment. Data breaches can occur at the personal and corporate levels and involve sensitive, protected, or confidential information that is copied, transmitted, viewed, stolen, or used by an individual unauthorized to do so.”
The NICCS (National Initiative for Cybersecurity Careers and Studies), which was created by the U.S. Department of Homeland Security, defines the term similarly: “the unauthorized movement or disclosure of sensitive information to a party, usually outside the organization, that is not authorized to have or see the information.”
That seems like a pretty good working definition and is consistent with the FBI’s view. This could include malware that logs keystrokes or someone using valid credentials purchased on the dark web to access your cloud applications. It could also include inadvertent disclosure by an employee, or a departing employee downloading data onto a flash drive on the way out the door. The possible scenarios are endless.
But what about ransomware—does that count? The letter of these definitions does not seem to cover ransomware, a category of malware in which attackers encrypt your data until you pay a ransom to regain access. Attackers don’t even want your data, they just want you to pay to get it back. Ransomware does not exfiltrate the data from the network.
The U.S. Department of Health and Human Services explicitly labels ransomware as a breach in its Ransomware and HIPAA Fact Sheet: “When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., individuals have taken possession or control of the information), and thus is a ‘disclosure’ not permitted under the HIPAA Privacy Rule.”
How the European Union General Data Privacy Regulation (GDPR) Defines a Data Breach
The European Union General Data Privacy Regulation, or GDPR, has made a lot of headlines recently. As you probably know, the GDPR establishes new rules for the collection and processing of personal data. This had been in the works for some time, but officially went into effect on May 25, 2018.
The GDPR says that a personal data breach means a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” This seems broader than some definitions because it includes destruction and alteration. It also includes some of the more mundane sources of data loss, as in cases where someone in the organization simply makes a mistake in disclosing data improperly. Hackers are not the source of every breach.
The EU Article 29 Working Party was an advisory body charged with promoting consistency and making recommendations to EU countries about data privacy. (When the GDPR went live, it was replaced by the European Union Data Privacy Board). In October 2017, the Working Group opined that “an incident resulting in personal data being made unavailable for a period of time is a security breach (and should be documented), yet depending on the circumstances, it may or may not require notification to the supervisory authority and communication to affected individuals. If the lack of availability of personal data is likely to result in a risk to the rights and freedoms of natural persons, then the controller will need to notify.”
So, the very loss of access constitutes a breach, which would cover ransomware. Remember, with ransomware, the data does not leave the network but is encrypted with a key that the attacker provides in exchange for a ransom.
An IT Industry Authority’s Data Breach Definition: The Verizon Data Breach Report
The Verizon Data Breach Report is an industry-standard study on breach trends that is usually released around the time of the RSA Conference. The 2018 Verizon report defines a breach as “an incident that results in the confirmed disclosure—not just potential disclosure—of data to an unauthorized party.” While this definition does not seem to include ransomware, Verizon did feature this category threat prominently in the report.
Data Breach or Data Compromise?
One final thought before we wrap up. Technically speaking, it’s your defenses that are being breached—your data is being compromised. The dictionary definition of breach is, after all, “rupture.” The IT industry has used the term “data breach” to mean “data compromise,” but the data is not being ruptured. It’s being stolen, maliciously encrypted, disclosed through human error and so on. That’s not to say that use of “data breach” is going away, it just supports the idea of defining the term broadly. Ransomware is certainly a data compromise in this broader sense, and hence a “breach” in the way that security experts generally use the term.
Thinking on this topic continues to evolve, but it seems likely that the global consensus of the meaning of the term “breach” is going to end up being defined more broadly rather than less. Given that the GDPR may establish a new high-water mark for data privacy, that’s an especially important data point. Also, health care is probably one of the more advanced industries in terms of data privacy and security, so the Health and Human Services view is persuasive.
Whatever the semantics, IT teams need to defend against a wide variety of incidents that can lead to data compromise. Layered protection is a universally accepted IT security best practice. One important element of this is secure network access, also known as secure network onboarding and authentication, for BYOD, guest and IT-owned devices. The Ruckus Networks entry in this category is Cloudpath Enrollment System. If you are looking for ways to plug even the less obvious potential security holes in your environment, now’s a great time to learn more about how Cloudpath software can help. For a quick overview of the product, you can check out this new video.