By Phil Schenkenberg and Zenus Franklin
February 9, 2021
Privacy and cyber lawyers say “Incident Response” rather than “Breach Response” for a reason. Consider training your organization to use the word “incident” until legal counsel calls something a “breach.”
Is it really that big of a deal? Maybe, and maybe not. You may know someone who reflexively said “I’m sorry” after getting in a fender-bender that was the fault of the other driver. If there was a dispute over who was at fault, the statement “I’m sorry” was likely considered to be an admission against interest and admissible in court. It’s not proof of responsibility, but that’s the way such a statement is often interpreted. This is why your insurance company wants to you to say as little as possible after an accident, and never to say “I’m sorry.”
Use of the word “breach” can create similar problems. That word has legal significance. In Minnesota, “breach” means the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business. And in Massachusetts, such unauthorized acquisition is not a “breach” unless there is a “substantial risk of identity theft or fraud.”
The term “incident,” on the other hand, is not generally found in statutes and rules. We deal with many incidents that do not meet the definition of a breach. For example, assume that you left your company computer in a coffee shop and didn’t realize the mistake until you got home. When you return, the manager pulls it out from under the counter and gives it back to you. That is certainly an “incident” – you have lost control of a computer with confidential business information on the hard drive. But is it a breach? Assume the computer had been powered off, was protected by a complex password that allowed only ten attempts before deleting the hard drive, and required multifactor authentication to access anything sensitive. By following the company’s incident response plan, it might be decided that your mistake did not lead to the unauthorized acquisition of data by anyone; the laptop simply sat undisturbed behind the register for 30 minutes. That’s an incident, but not a breach.
Similarly, assume a hacker gets into a company database that contains only names and email addresses. Is that “personal information” as defined under the applicable statute? Does the incident create a risk of identity theft under statutes and rules like those in Massachusetts? If not, it may not be a breach.
If legal counsel later determines that an incident does not rise to the level—legally—of a breach, it is counterproductive for employees in the organization to be using the B-word, especially in writing. Like with the car accident example, use of the word “breach” does not create liability, but it can be both problematic and inaccurate. The descriptive word “incident” allows for effective and accurate communication, without the legal pitfalls.
Phil Schenkenberg is the Minneapolis practice leader for the Taft law firm’s Privacy and Data Security practice. Phil’s cybersecurity practice focuses on data governance, contract obligations, transactional due diligence and breach response. Phil is active on cybersecurity issues, including through his membership in InfraGard (Minnesota chapter).
Zenus Franklin is a business and finance attorney in Taft law firm’s Dayton office, where he focuses on corporate governance, privacy and data security and data governance planning. Zenus received his J.D., cum laude, from the University of Dayton School of Law, where he was a publications editor of the University of Dayton Law Review. Full bio