Many human resource professionals may not be familiar with data security-related terminology. As a result, when an incident occurs there can be confusion when terms like “security event” or “data breach” are thrown around. Indeed, one of the most common mistakes made by human resource professionals is assuming that a situation involves a data breach because that term is used by others, and then believing that statutory or contractually obligations that are triggered by a breach must apply.
The problem stems from the fact that many people refer to a “data breach” loosely as any situation in which data may have been removed from, or been lost by, an organization. Technically, however, “data breach” is a legally defined term that typically refers in the United States to a –situation where there is evidence of an unauthorized “acquisition” or “access” to certain types of sensitive personal information (e.g., Social Security Numbers, driver’s license numbers, or financial account numbers) that trigger a legal obligation by an organization to investigate the situation and to notify employees, consumers, regulators, or business partners. It is important to realize that many of the situations that are referred to as “data breaches” in the media, and possibly by others in your organization, do not in fact meet the legal definition of the term. For the purpose of clarity, this handbook uses three terms to refer to security situations: a data security “event,” “incident,” and “breach.”
A. Security Events
A “security event” refers to an attempt to obtain data from an organization or to a situation in which data might be exposed. Many security events do not necessarily place the organization’s data at significant risk of exposure. Although an event might be serious and turn into an “incident” or a “breach,” many events are automatically identified and resolved without requiring any sort of manual intervention or investigation and without the need for legal counsel. For example, a failed log-in that suspends an account, a phishing email that is caught in a spam filter, or an attachment that is screened and quarantined by an antivirus program, are all examples of security events that happen every day and typically do not lead to an incident or breach.
B. Security Events
A “security incident” refers to an event for which there is a greater likelihood that data has left, or will leave, your organization, but uncertainty remains about whether unauthorized acquisition or access has occurred. For example, if you know that an employee has lost a laptop, but you do not know what information was on the laptop or whether it has fallen into the hands of someone who might have an interest in misusing data, the situation would be referred to as a “security incident.” Another way to think of a security incident is as a situation in which you believe that electronic data that contains personal information may have been improperly accessed or acquired. As discussed in this handbook, security incidents almost always necessitate that you thoroughly investigate to determine whether personal information was improperly accessed or acquired. Put differently, companies conduct investigations to determine whether there is, or is not, evidence that would redefine the “incident” as a “breach.”
Security incidents are attributable to a variety of different causes—sometimes referred to as “attack vectors.” Approximately 75% are caused by third parties, with 25% relating to the actions of employees from within an organization.
C. Security Breaches
As discussed above, a “security breach” or a “data breach” is a legally defined term. The definition varies depending upon the data breach notification law that is at issue. As a general matter, however, a security breach refers to a subset of security incidents where the organization discovers that sensitive information has been accessed or acquired by an unauthorized party and that acquisition has created the possibility that an employee or a consumer might be harmed by the disclosure. In the laptop example provided above, if you determine that the laptop was stolen and it contained unencrypted Social Security Numbers (e.g., a spreadsheet of employee W2 information), the incident would fall under the definition of a “security breach.” As discussed below, security breaches almost always dictate that you consider the legal requirements of data breach laws.
If you identify a security breach, you should be cognizant that security breaches typically impact organizations in a number of ways:
Reputational Cost: A security breach can erode the confidence of employees, customers, donors, or clients, which can significantly impact sales, recruitment, and/or the overall reputation of your organization. Often the indirect cost to the organization from adverse publicity significantly outweighs direct costs and potential legal liabilities.
Business Continuity Cost: Breaches that create, expose, or exploit vulnerabilities in network infrastructure may require that a network be taken off-line to prevent further data-loss. For organizations that rely heavily on IT infrastructure (e.g., an ecommerce retailer), removing or decommissioning an affected system may have a direct adverse impact on the organization.
Competitive Disadvantage: Breaches that involve competitively sensitive information such as employment compensation, trade secrets, customer lists, or marketing plans may threaten the ability of your organization to compete.
Investigation Costs: Security incidents involving IT infrastructure may require the services of a computer forensics expert in order to help investigate whether a breach has occurred and, if so, the extent of the breach. Security incidents that involve the potential of insider misconduct may necessitate an internal investigation in order to determine whether an employee has committed misconduct.
Contractual Costs: Your organization may be contractually liable to business partners in the event of a data security breach. For example, a breach involving a retailer’s electronic payment system will typically trigger obligations under the retailer’s agreements with its merchant bank and/or its payment processor. Those obligations may include, among other things, the assessment of significant financial penalties. As another example, some outsourcing contracts require companies that provide services to other companies to pay for the cost to notify impacted individuals and to indemnify their business partner from lawsuits. In the human resource context, if your organization is a human resource-related service provider, a breach of information that has been placed in your custody in order to provide services could lead to contractual liabilities depending upon the terms of your service agreement.
Notification Costs: If your organization is required to, or voluntarily decides to, notify employees of a data security incident, it may incur direct notification costs relating to identifying applicable data breach notification statutes and physically printing and mailing notification letters. Although most statutes do not require organizations to provide employees with credit monitoring, identity−theft insurance, or identity−theft restoration services, in some situations, offering such services at the organization’s own cost has become an industry standard practice.
Regulatory Costs: A regulatory agency may decide to investigate whether an organization should have prevented a breach and/or whether an organization properly investigated and responded to it. In addition, some regulatory agencies are empowered to impose civil penalties or monetary fines in the event that they determine the organization’s security practices were deficient or that an organization failed to properly notify employees, consumers, or the agency itself in a timely matter. Significant legal expenses can be associated with a regulatory investigation.
Litigation Costs: While Bryan Cave LLP’s 2016 Data Breach Litigation Report found that approximately 5% of publicly reported data security breaches result in the filing of a federal putative class action lawsuit,, the vast majority of suits filed did not relate to breaches involving the loss of human resource-related data; far fewer HR-related data breaches turn into litigation. Although most suits have not resulted in a finding of liability, defense costs and settlement costs can be significant if litigation is initiated.
TIP: While it may seem like there is no harm in using terms like “data breach” to describe any event or incident, the term can cause confusion to employees, others in your organization, or the public who may jump to the conclusion that you have actually confirmed that sensitive information has been accessed or acquired by a bad actor. Using the correct terminology can avoid that problem.