Given today’s threat-filled environment, chances are high that your organization will be—or already has been—the target of an attack, putting sensitive data at risk. How do you define this? Is it an event? A security incident? A data breach? Does it even matter what it’s called?
In a word, yes. How you classify an occurrence will dictate your response—and thus how well you can minimize the monetary, regulatory, and reputational risks to you, your company, and the customers you serve.
What is an Event?
In its Computer Security Incident Handling Guide, the National Institute of Standards and Technology (NIST) defines an event as “any observable occurrence in a system or network,” such as sending an e-mail message or a firewall blocking an attempt to connect. The guide also defines adverse events as those with a “negative consequence, such as…unauthorized use of system privileges, unauthorized access to sensitive data, and execution of malware that destroys data.”
What is a Security Incident?
A security or privacy incident, on the other hand, is, an event that violates an organization’s security or privacy policies involving sensitive information such as social security numbers or confidential medical information. These can range from a lost thumb drive to missing paper files to what Bloomberg Business calls “sophisticated data attacks,” such as those associated with the Anthem and Sony breaches. Security incidents are part of everyday business—65 percent of healthcare organizations experienced electronic information-based security incidents over the past two years, according to the Ponemon study.
What is a Data Breach?
Data breach is a security (or privacy) incident that meets specific legal definitions as per state and federal breach laws. Data breaches require notification to the affected individuals, regulatory agencies, and sometimes credit reporting agencies and the media. Only a small percentage of privacy or security incidents escalate into data breaches but to identify them there's a regulatory obligation to conduct an incident risk assessment when the incident evolves PHI or PII. (The Verizon 2015 Data Breach Investigations Report showed confirmed data loss in less than 3 percent of the almost 80,000 incidents reported.)
Despite the relatively low ratio of breaches to incidents, the burden to determine if the incident is a breach is high so you should not get tempted to to “play the odds,” and not treat each incident as a potential breach. The burden of proof is always on the organization to document and perform a multi-factor incident risk assessment to demonstrate compliance or face penalties and corrective action plans from regulators.
Consider the experience of Catamaran, a large public company that provides pharmacy benefits management services to healthcare organizations. To efficiently manage its regulatory obligations and easily navigate the complexity of state and federal breach laws, the company reached out to ID Experts for help managing incident response. ID Experts automated the process of evaluating incidents against current state and federal regulations.
Catamaran discusses its approach in a recent webinar, Bringing Incident Response & Breach Management Out of the Dark Ages.
Properly defining an event or security incident or data breach is more than a matter of semantics. It’s about strategically addressing and protecting your organization against regulatory and reputational risks. It’s about breaking down departmental silos and enabling effective collaboration between security, compliance, privacy and legal roles in an integrated defense against data security threats—whatever they may be.