A data breach means
|“||when personal information held by an agency or organisation is lost or subjected to unauthorised access, use, modification, disclosure, or other misuse.||”|
Federal Information Security Management Act of 2002
Data breach means
|“||the loss, theft, or other unauthorized access, other than those incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data."||”|
A data breach is
|“||any instance in which there is an unauthorized release or access of PII or other information not suitable for public release.||”|
|“||an organization's unauthorized or unintentional exposure, disclosure, or loss of sensitive personal information, which can include personally identifiable information such as Social Security numbers, or financial information such as credit card numbers.||”|
|“||[t]he unauthorized movement or disclosure of sensitive information to a party, usually outside the organization, that is not authorized to have or see the information.||”|
|“||[t]he unintentional release of secure information to an untrusted environment. This may include incidents such as theft or loss of digital media — including computer tapes, hard drives, or laptop computers containing such media — upon which such information is stored unencrypted; posting such information on the World Wide Web or on a computer otherwise accessible from the Internet without proper information security precautions; transfer of such information to a system that is not completely open but is not appropriately or formally accredited for security at the approved level, such as unencrypted e-mail; or transfer of such information to the information systems of a possibly hostile entity or environment where it may be exposed to more intensive decryption techniques.||”|
A data breach
|“||occurs when there is a loss or theft of, or other unauthorized access to, data containing sensitive personal information that results in the potential compromise of the confidentiality or integrity of data.||”|
"A data breach can occur under many circumstances and for many reasons. A breach can be inadvertent, such as from the loss of paper documents or a portable electronic device, or deliberate, such as from a successful cyber-based attack by a hacker, criminal, foreign nation, terrorist, or other adversaries. Data breaches have been reported at a wide range of public and private institutions, including federal, state, and local government agencies; educational institutions; hospitals and other medical facilities; financial institutions; information resellers; and other businesses."
"Data breaches can take many forms including
- hackers gaining access to data through a malicious attack;
- lost, stolen, or temporary misplaced equipment (e.g., laptops, mobile phones, portable thumb drives, etc.);
- employee negligence (e.g., leaving a password list in a publicly accessible location, technical staff misconfiguring a security service or device, etc.); and
- policy and/or system failure (e.g., a policy that doesn't require multiple overlapping security measures — if backup security measures are absent, failure of a single protective system can leave data vulnerable)."
"Data breaches are caused by computer hacking, malware, payment card fraud, employee insider breach, physical loss of non-electronic records and portable devices, and inadvertent exposure of confidential data on websites or in e-mail. Data breaches are expensive, time consuming, and can damage a company's reputation." "Data breaches involving sensitive personal information may result in identity theft and financial crimes (e.g., credit card fraud, phone or utilities fraud, bank fraud, mortgage fraud, employment-related fraud, government documents or benefits fraud, loan fraud, and health-care fraud). Identity theft involves the misuse of any individually identifying information to commit a violation of federal or state law."
Specific instances of data breaches
Numerous data breaches and computer intrusions have been disclosed by the nation’s largest data brokers, retailers, educational institutions, government agencies, health care entities, financial institutions, and Internet businesses. The Privacy Rights Clearinghouse chronicles and reports that over 251 million records containing sensitive personal information were involved in security breaches in the United States since January 2005. From February 2005 to December 2006, 100 million personal records were reportedly lost or exposed.
- In February 2005, the data broker ChoicePoint disclosed a security breach, as required by the California Security Breach Notification Act, involving the personal information of 163,000 persons. * In 2006 the personal data of 26.5 million veterans was breached when a VA employee’s hard drive was stolen from his home.
- In 2007 the retailer TJX Companies revealed that 46.2 million credit and debit cards may have been compromised during the breach of its computer network by unauthorized individuals.
- In 2008 the Hannaford supermarket chain revealed that approximately 4 million debit and credit card numbers were compromised when Hannaford’s computer systems were illegally accessed while the cards were being authorized for purchase. There were 1,800 reported cases of fraud connected to the computer intrusion.
- In 2009, 130 million records from credit card processor Heartland Payment Systems Inc. of Princeton, N.J., were breached. Also, in 2009, personal information from Health Net on almost half a million Connecticut residents and 1.5 million patients nationally was breached.
- In 2011, another breach of patient data occurred when data for 20,000 emergency room patients from Stanford Hospital in California was posted on a commercial website for nearly a year.
- In January 2012, New York State Electric & Gas and Rochester Gas and Electric, subsidiaries of Iberdrola USA, sent notices to customers advising them of unauthorized access to customer data on the companies' customer information systems, which contained Social Security Numbers, dates of birth, and financial institution account numbers.
Data breaches involving sensitive personal information may result in identity theft and financial crimes (e.g., credit card fraud, phone or utilities fraud, bank fraud, mortgage fraud, employment-related fraud, government documents or benefits fraud, loan fraud, and health-care fraud).
Responses and remedies
These public disclosures have heightened interest in the security of sensitive persosal information; security of computer systems; applicability of federal laws to the protection of sensitive personal information; adequacy of enforcement tools available to law enforcement officials and federal regulators; business and regulation of data brokers; liability of retailers, credit card issuers, payment processors, banks, and furnishers of credit reports for costs arising from data breaches; remedies available to individuals whose personal information was accessed without authorization; prosecution of identity theft crimes related to data breaches; and criminal liability of persons responsible for unauthorized access to computer systems.
- Guide to Information Security, Key terms.
- 38 U.S.C. §5727(4).
- Data Breach Response Checklist, at 2.
- Personal Information: Data Breaches Are Frequent, But Evidence of Resulting Identity Theft is Limited; However, the Full Extent is Unknown, at 2.
- NICCS, Explore Terms: A Glossary of Common Cybersecurity Terminology (full-text).
- Guide to Conducting Privacy Impact Assessments for State, Local, and Tribal Justice Entities, at 37.
- Data Security Breach Notification Laws, at 1.
- Report on Securing and Growing the Digital Economy, at 89.
- Information Security: Agency Responses to Breaches of Personally Identifiable Information Need to Be More Consistent, at 2-3.
- Data Breach Response Checklist, at 2.
- Data Security Breach Notification Laws, at 2.
- Privacy Rights Clearinghouse, "A Chronology of Data Breaches" (full-text).
- Tom Zeller, "An Ominous Milestone: 100 Million Data Leaks," N.Y. Times, Dec. 18, 2006, at C3.
- See U.S. v. Choicepoint.
- U.S. Securities and Exchange Commission, Form 10-K Annual Report: The TJX Cos., Inc. (full-text). See also In re TJX Companies.
- Ross Kerber, "Hannaford Case Exposes Holes In Law, Some Say 'Identity Theft' Criteria Called Too Narrow" (full-text).
- Former Connecticut Attorney General Richard Blumenthal sued Health Net of Connecticut for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and 1.5 million consumers nationwide and promptly notify consumers exposed by the security breach. See Connecticut Attorney General's Office, Press Release: "Attorney General Announces Health Net Settlement Involving Massive Security Breach Compromising Private Medical and Financial Info" (July 6, 2010) (full-text).
- Kevin Sack, "Patient Data Posted Online in Major Breach of Privacy," N.Y. Times (Sep. 8, 2011) (full-text).
- State of New York Public Service Comm'n, PSC Investigates Consumer Data Breach At NYSEG, RG&E (Jan. 23, 2012) (full-text).
- "Data Security Legislation Expected to Face Big Challenges," 8 BNA Privacy & Security Law Report, at 51 (Jan. 12, 2009).
- See Personal Information: Key Federal Privacy Laws Do Not Require Information Resellers to Safeguard All Sensitive Data, at 56.
- See Federal Laws Related to Identity Theft.
- See Cybercrime: An Overview of the Federal Computer Fraud and Abuse Statute and Related Federal Criminal Laws.
- Cybersecurity: Selected Issues for the 115th Congress, at 3.