Defining a "Data Breach"

In the complex landscape of data privacy, state and federal laws regulating data breaches often present contrasting and overlapping definitions. But what precisely constitutes a "data breach"? Generally, it's an incident where confidential or protected information—ranging from personal data like names, Social Security numbers, and health information to confidential business records—is accessed, taken, or used without authorization. However, the specific definition of a breach under data privacy laws varies across jurisdictions and industries. Cybersecurity and data privacy attorney Michelle Reed sheds light on the nuances involved in classifying a cybersecurity incident as a breach according to legal standards. Despite the variability across jurisdictions, even minor differences in these definitions are significant, potentially triggering the urgent timelines for notification requirements.

Reed explains how, while large companies can face thousands of incidents, they may experience relatively few breaches, highlighting the critical role of robust security measures and informed data management in preventing unauthorized access from escalating. This approach underscores a proactive stance on cybersecurity, where knowing one's "crown jewels" and implementing layers of protection are paramount.

Determining whether a breach occurred can involve more than an examination of the type of data involved. For example, determining whether data was accessed versus exfiltrated can determine whether to classify an incident as a breach in certain jurisdictions and for certain industries. As Reed articulates, the evolving landscape of data protection regulations, including potential expansions in definitions by bodies like the SEC, presents new challenges and considerations for businesses evaluating which incidents require reporting as a data breach.

Michelle Reed is a partner at the law firm Akin Gump and the co-head of the firm's cybersecurity, privacy and data protection practice.