Definition of Data Compromise | Significant Risk of Harm?
In data security, what is the difference between a vulnerability and a compromise? How can one distinguish the two in practice?
In common parlance, a vulnerability in information security is a shortcoming in control, such as the use of weak wireless encryption (WEP) rather than strong wireless encryption (WPA). The shortcoming opens a potential opportunity for a wrongdoer to access data without authority. But the existence of the vulnerability does not establish there has been a compromise.
A compromise, on the other hand, is commonly understood to be an event. It is actual access to or acquisition of data by someone without authority.
In the event that personal data has been compromised, many laws require the holder of the data to give official notice to a data subject. These laws are not uniform or consistent in their definition of compromise.
* According to one leading data notification law, California’s Senate Bill 1386 , notice must be given when “unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”
* According to another leading law, 45 CFR §164.402 applicable to healthcare entities, notice is required when “acquisition, access, use, or disclosure” of data “poses a significant risk of financial, reputational, or other harm to the individual.”
So roughly speaking, vulnerability is potential, and compromise is an event.
But in a functioning information system, the data holder’s knowledge of the difference between potential and event must be based on evidence. Rarely is that evidence strong and conclusive. Rarely does the data holder have something like sworn testimony from an unauthorized person that she acquired the data or that she intends to misuse the data.
More often, the data holder has only snippets of evidence about the (in)security of the data. In any given situation, these snippets might be interpreted as a vulnerability, or they might be interpreted as a compromise. See good discussion on the SANS Forensics blog.
Example: Data holders commonly issue notice when a unit of data-holding hardware, such as a tape or a laptop is lost. But the fact that one cannot confirm the physical location of hardware does not necessarily mean that an unauthorized person possesses the hardware, understands how to use it, harbors the desire or ability to misuse it, and so on. The data holder’s ignorance of the hardware’s location is really just a vulnerability. But this vulnerability is often treated as a breach, which results in the delivery of a strange notice to data subjects.
Vulnerabilities are an inescapable fact of modern life. In functioning commercial and government systems, virtually all data are subject to multiple vulnerabilities all the time. Any auditor worth his salt can always find vulnerabilities, even in well-managed systems. [Even the mighty National Security Agency has to assume that adversaries will succeed in breaking into its highly secure systems.]
Suppose the data holder’s IT system has logs that show an unauthorized computer did or could have accessed data. Is that proof of a breach/compromise?
Rarely do such logs constitute forensically conclusive proof of a breach. The fact that one computer registers the movement of data to another computer does not necessarily mean that the person or persons who may from time to time control the second computer saw any data, remembered any data, retained any data, intended to possess the data, exercised any meaningful dominion over the data, possessed the ability to exploit the data and so on. In this age of data overload, people often touch computers will little meaningful comprehension of most of the data that may reside in or pass through them.
In fact, owing to all of the attention given to identity theft in the past decade, and efforts like the FACTA Red Flag rules to intercept identity thieves in the act, I hazard to guess that ID theft is harder to execute today than it was in the past. (This is a topic for a future blog article.) Data abuse is risky, and would-be criminals know it. Many of the unauthorized people who might have some fleeting contact with personal data will stay away from it or will be unable to exploit it.
My sense is that data holders issue more beach notices than is required by law or is good for society. They treat many vulnerabilities as breaches. Individuals are hence bombarded with notices. Individuals become jaded and learn simply to ignore so many of these notices.
The breach notices become like the mind-numbing “Proposition 65" signs one sees posted on buildings – hotels, restaurants, apartments, grocery stores, coffee shops, etc. -- all over California: “This area contains chemicals known to the State of California to cause cancer, birth defects or other reproductive harm.”
–Benjamin Wright
Mr. Wright teaches data security law at the SANS Institute.
« IT Security Policy Documentation | Main | Investigator Ethics | Forensics Professional Integrity »
05/18/2010
The comments to this entry are closed.
Wright's Online SANS Education
Wright's Public Appearances
Blogger
- Attorney Benjamin Wright is the author of technology law books, including The Law of Electronic Commerce (Aspen Publishers) and Business Law and Computer Security (SANS). A featured speaker at industry conferences and professional meetings, Wright teaches e-discovery, data security and cyber investigations law at the SANS Institute. Mr. Wright advises clients on digital law and forensic investigations. He helps tech professional firms write engagement contracts, and otherwise manage their legal liability and right to be paid. Such firms include QSAs, auditors, blockchain analysts, penetration testers and forensic investigators. His telephone is 1.214.403.6642. Wright's e-mail is ben_wright at compuserve dot com (put "BLOG" in subject line to distinguish yourself from spam). Mr. Wright graduated from Georgetown University Law Center 1984.
IT Administrators
Custom Professional Training
Important!
- No public statement by Mr. Wright (blog, comment, book, article, video, speech, tweet) is legal advice for any particular situation. If you need legal advice, you should consult your lawyer.
The purpose of this blog -- and the purpose of all of Mr. Wright's public statements -- are public education and discussion, and not the delivery of legal, technical or other professional advice. If you need advice or complete information, this blog is not the place to get it. Mr. Wright's public statements are offered as-is, with no warranty of accuracy or reliability. Mr. Wright sometimes revises his published ideas. If you use the ideas, you do so at your own risk.
Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.
Mr. Wright's contributions to blogs, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer Law.
The only person responsible for Mr. Wright's words is Mr. Wright.
Mr. Wright has received money from some organizations he mentions online, such as Netmail/Messaging Architects, SANS Institute and LabMD.
Mr. Wright strives to comply with all applicable laws. He does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Mr. Wright has done anything illegal or unethical, he asks that person promptly to notify him at 1.214.403.6642, Dallas, TX. Also, please state publicly on Mr. Wright's blogs or pages that he is wrong. Promptness helps mitigate damage.
Any person accessing this blog agrees not to use data from it (or from any other public activity or statement by Mr. Wright) in a way that is adverse to Mr. Wright's interests.
Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Exchanging private messages with Mr. Wright does not, by itself, form an attorney-client relationship.
Privacy/Security Vision: Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.
SANS Quote
- "The best professional trainer in the country on these issues is Ben Wright." --Stephen H. Chapman, Principal and CEO, Security Advisers, LLC, and student in Mr. Wright's SANS legal training
MY BLOGS HAVE LOADS OF CONTENT. SEARCH! ↓
Become a Fan
Find More on This Blog
- Categories and Archives
Over 100 Categories
Comments