Definition of Data Compromise | Significant Risk of Harm?
In data security, what is the difference between a vulnerability and a compromise? How can one distinguish the two in practice?
In common parlance, a vulnerability in information security is a shortcoming in control, such as the use of weak wireless encryption (WEP) rather than strong wireless encryption (WPA). The shortcoming opens a potential opportunity for a wrongdoer to access data without authority. But the existence of the vulnerability does not establish there has been a compromise.
A compromise, on the other hand, is commonly understood to be an event. It is actual access to or acquisition of data by someone without authority.
In the event that personal data has been compromised, many laws require the holder of the data to give official notice to a data subject. These laws are not uniform or consistent in their definition of compromise.
* According to one leading data notification law, California’s Senate Bill 1386 , notice must be given when “unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”
* According to another leading law, 45 CFR §164.402 applicable to healthcare entities, notice is required when “acquisition, access, use, or disclosure” of data “poses a significant risk of financial, reputational, or other harm to the individual.”
So roughly speaking, vulnerability is potential, and compromise is an event.
But in a functioning information system, the data holder’s knowledge of the difference between potential and event must be based on evidence. Rarely is that evidence strong and conclusive. Rarely does the data holder have something like sworn testimony from an unauthorized person that she acquired the data or that she intends to misuse the data.
More often, the data holder has only snippets of evidence about the (in)security of the data. In any given situation, these snippets might be interpreted as a vulnerability, or they might be interpreted as a compromise. See good discussion on the SANS Forensics blog.
Example: Data holders commonly issue notice when a unit of data-holding hardware, such as a tape or a laptop is lost. But the fact that one cannot confirm the physical location of hardware does not necessarily mean that an unauthorized person possesses the hardware, understands how to use it, harbors the desire or ability to misuse it, and so on. The data holder’s ignorance of the hardware’s location is really just a vulnerability. But this vulnerability is often treated as a breach, which results in the delivery of a strange notice to data subjects.
Vulnerabilities are an inescapable fact of modern life. In functioning commercial and government systems, virtually all data are subject to multiple vulnerabilities all the time. Any auditor worth his salt can always find vulnerabilities, even in well-managed systems. [Even the mighty National Security Agency has to assume that adversaries will succeed in breaking into its highly secure systems.]
Suppose the data holder’s IT system has logs that show an unauthorized computer did or could have accessed data. Is that proof of a breach/compromise?
Rarely do such logs constitute forensically conclusive proof of a breach. The fact that one computer registers the movement of data to another computer does not necessarily mean that the person or persons who may from time to time control the second computer saw any data, remembered any data, retained any data, intended to possess the data, exercised any meaningful dominion over the data, possessed the ability to exploit the data and so on. In this age of data overload, people often touch computers will little meaningful comprehension of most of the data that may reside in or pass through them.
In fact, owing to all of the attention given to identity theft in the past decade, and efforts like the FACTA Red Flag rules to intercept identity thieves in the act, I hazard to guess that ID theft is harder to execute today than it was in the past. (This is a topic for a future blog article.) Data abuse is risky, and would-be criminals know it. Many of the unauthorized people who might have some fleeting contact with personal data will stay away from it or will be unable to exploit it.
My sense is that data holders issue more beach notices than is required by law or is good for society. They treat many vulnerabilities as breaches. Individuals are hence bombarded with notices. Individuals become jaded and learn simply to ignore so many of these notices.
The breach notices become like the mind-numbing “Proposition 65" signs one sees posted on buildings – hotels, restaurants, apartments, grocery stores, coffee shops, etc. -- all over California: “This area contains chemicals known to the State of California to cause cancer, birth defects or other reproductive harm.”
Mr. Wright teaches data security law at the SANS Institute.