The IT Law Wiki



A data breach means

when personal information held by an agency or organisation is lost or subjected to unauthorised access, use, modification, disclosure, or other misuse.[1]

Federal Information Security Management Act of 2002[]

Data breach means

the loss, theft, or other unauthorized access, other than those incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data."[2]


A data breach is

any instance in which there is an unauthorized release or access of PII or other information not suitable for public release.[3]
an organization's unauthorized or unintentional exposure, disclosure, or loss of sensitive personal information, which can include personally identifiable information such as Social Security numbers, or financial information such as credit card numbers.[4]
[t]he unauthorized movement or disclosure of sensitive information to a party, usually outside the organization, that is not authorized to have or see the information.[5]
[t]he unintentional release of secure information to an untrusted environment. This may include incidents such as theft or loss of digital media — including computer tapes, hard drives, or laptop computers containing such media — upon which such information is stored unencrypted; posting such information on the World Wide Web or on a computer otherwise accessible from the Internet without proper information security precautions; transfer of such information to a system that is not completely open but is not appropriately or formally accredited for security at the approved level, such as unencrypted e-mail; or transfer of such information to the information systems of a possibly hostile entity or environment where it may be exposed to more intensive decryption techniques.[6]

A data breach

occurs when there is a loss or theft of, or other unauthorized access to, data containing sensitive personal information that results in the potential compromise of the confidentiality or integrity of data.[7]

A data breach is "[a]n incident that violates the confidentiality of data."[8]


"A data breach can occur under many circumstances and for many reasons. A breach can be inadvertent, such as from the loss of paper documents or a portable electronic device, or deliberate, such as from a successful cyber-based attack by a hacker, criminal, foreign nation, terrorist, or other adversaries. Data breaches have been reported at a wide range of public and private institutions, including federal, state, and local government agencies; educational institutions; hospitals and other medical facilities; financial institutions; information resellers; and other businesses."[9]

"Data breaches can take many forms including

"Data breaches are caused by computer hacking, malware, payment card fraud, employee insider breach, physical loss of non-electronic records and portable devices, and inadvertent exposure of confidential data on websites or in e-mail. Data breaches are expensive, time consuming, and can damage a company's reputation."[11] "Data breaches involving sensitive personal information may result in identity theft and financial crimes (e.g., credit card fraud, phone or utilities fraud, bank fraud, mortgage fraud, employment-related fraud, government documents or benefits fraud, loan fraud, and health-care fraud). Identity theft involves the misuse of any individually identifying information to commit a violation of federal or state law."[12]

Specific instances of data breaches[]

Numerous data breaches and computer intrusions have been disclosed by the nation’s largest data brokers, retailers, educational institutions, government agencies, health care entities, financial institutions, and Internet businesses. The Privacy Rights Clearinghouse chronicles and reports that over 251 million records containing sensitive personal information were involved in security breaches in the United States since January 2005.[13] From February 2005 to December 2006, 100 million personal records were reportedly lost or exposed.[14]

Data breaches involving sensitive personal information may result in identity theft and financial crimes (e.g., credit card fraud, phone or utilities fraud, bank fraud, mortgage fraud, employment-related fraud, government documents or benefits fraud, loan fraud, and health-care fraud).

Responses and remedies[]

These public disclosures have heightened interest in the security of sensitive persosal information[21]; security of computer systems; applicability of federal laws to the protection of sensitive personal information; adequacy of enforcement tools available to law enforcement officials and federal regulators; business and regulation of data brokers[22]; liability of retailers, credit card issuers, payment processors, banks, and furnishers of credit reports for costs arising from data breaches; remedies available to individuals whose personal information was accessed without authorization[23]; prosecution of identity theft crimes related to data breaches; and criminal liability of persons responsible for unauthorized access to computer systems.[24]

"Data breaches are illegal under the Computer Fraud and Abuse Act."[25]


  1. Guide to Information Security, Key terms.
  2. 38 U.S.C. §5727(4).
  3. Data Breach Response Checklist, at 2.
  4. Personal Information: Data Breaches Are Frequent, But Evidence of Resulting Identity Theft is Limited; However, the Full Extent is Unknown, at 2.
  5. NICCS, Explore Terms: A Glossary of Common Cybersecurity Terminology (full-text).
  6. Guide to Conducting Privacy Impact Assessments for State, Local, and Tribal Justice Entities, at 37.
  7. Data Security Breach Notification Laws, at 1.
  8. Report on Securing and Growing the Digital Economy, at 89.
  9. Information Security: Agency Responses to Breaches of Personally Identifiable Information Need to Be More Consistent, at 2-3.
  10. Data Breach Response Checklist, at 2.
  11. Data Security Breach Notification Laws, at 2.
  12. Id.
  13. Privacy Rights Clearinghouse, "A Chronology of Data Breaches" (full-text).
  14. Tom Zeller, "An Ominous Milestone: 100 Million Data Leaks," N.Y. Times, Dec. 18, 2006, at C3.
  15. See U.S. v. Choicepoint.
  16. U.S. Securities and Exchange Commission, Form 10-K Annual Report: The TJX Cos., Inc. (full-text). See also In re TJX Companies.
  17. Ross Kerber, "Hannaford Case Exposes Holes In Law, Some Say 'Identity Theft' Criteria Called Too Narrow" (full-text).
  18. Former Connecticut Attorney General Richard Blumenthal sued Health Net of Connecticut for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and 1.5 million consumers nationwide and promptly notify consumers exposed by the security breach. See Connecticut Attorney General's Office, Press Release: "Attorney General Announces Health Net Settlement Involving Massive Security Breach Compromising Private Medical and Financial Info" (July 6, 2010) (full-text).
  19. Kevin Sack, "Patient Data Posted Online in Major Breach of Privacy," N.Y. Times (Sep. 8, 2011) (full-text).
  20. State of New York Public Service Comm'n, PSC Investigates Consumer Data Breach At NYSEG, RG&E (Jan. 23, 2012) (full-text).
  21. "Data Security Legislation Expected to Face Big Challenges," 8 BNA Privacy & Security Law Report, at 51 (Jan. 12, 2009).
  22. See Personal Information: Key Federal Privacy Laws Do Not Require Information Resellers to Safeguard All Sensitive Data, at 56.
  23. See Federal Laws Related to Identity Theft.
  24. See Cybercrime: An Overview of the Federal Computer Fraud and Abuse Statute and Related Federal Criminal Laws.
  25. Cybersecurity: Selected Issues for the 115th Congress, at 3.


See also[]

External resources[]

  • EDUCAUSE, Library—Data Breach resources (full-text).
  • Ponemon Institute, "2013 Cost of Data Breach Study: Global Analysis" (May 2013) (full-text). This study was commissioned by Symantec, a computer security software firm.