7.1. What is a computer security incident?
According to the National Institute of Standards, “a computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.”
7.2. What is a privacy incident?
According to the US Centers for Medicate & Medicaid Services, “A privacy incident is any event that has resulted in (or could result in) unauthorized use or disclosure of PII / PHI where persons other than authorized users have access (or potential access) to PII / PHI, or use it for an unauthorized purpose.”
7.3. What is a breach?
According to the HHS, “A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.” However, the HHS goes on to say “There are three exceptions to the definition of ‘breach.’ …”
For the precise legal meaning of breach, and to determine whether your company has suffered a breach according to the legal definition, please consult your attorney.
7.4. What is required of a covered entity after a breach?
The HHS discusses breach notification requirements under HIPAA here. Note that other laws and regulations may apply besides HIPAA. Consult your attorney for details and advice.
We can help you assess the privacy implications of a data incident or breach, working with your legal team to determine how to proceed. This involves evaluating whether the data could be considered deidentified and give you an idea whether or how an attacker could use the data. We can also advise you on how to prevent privacy breaches in the future.IB
7.5. How common are data breaches?
There are thousands of data breaches a year, exposing data on hundreds of millions of people.
The largest breach to date has been the 2021 Facebook breach, leaking data on half a billion Facebook users.
7.6 What is Breach Safe Harbor?
The US Department of Health and Human Services coined the term Breach Safe Harbor to describe the breach of encrypted data. There are a couple caveats. First, your data needs to be encrypted following best practices. Second, state law may differ from federal law. More details here.
