When is a breach not a breach?

Close up of personal information form with confidential stamp and writing hand

Cancer research lab LabMD came under fire last month when an employee violated company policies and downloaded P2P software, inadvertently exposing sensitive patient information on a file-sharing network. Fortunately, the breach was detected and shut down before anyone on the outside noticed, and no one accessed the sensitive data.

Should LabMD have been penalized?

But because the employee’s actions had the potential to cause a severe data breach, should the breach still be classed as a breach and should LabMD be penalized?

“A breach that doesn’t result in anyone compromising any data is something like the proverbial tree that falls in the forest with no one around. Is it truly a data breach?” ComputerWorld

The case was brought to court and, in response, federal judge D. Michael Chappell ruled that a data breach needs to have actual victims, not merely hypothetical ones:

“There is no evidence that any consumer has suffered any substantial injury as a result of Respondent’s alleged conduct, and both the quality and quantity of Complaint Counsel’s evidence submitted to prove that such injury is, nevertheless, ‘likely’ is unpersuasive… While there may be proof of possible consumer harm, the evidence fails to demonstrate probable, i.e., likely, substantial consumer injury.”

In my view, LabMD should be applauded for how quickly it was able to spot the vulnerability and act on it so to mitigate a breach involving sensitive data.

Employees are an organization’s worst nightmare when it comes to security; whether maliciously or accidentally, they can cause breaches with just a click of a mouse. A recent study by CompTIA found that:

  • 63% of employees use their work mobile device for personal activities
  • 94% of employees connect their laptop/mobile to public Wi-Fi networks
  • 49% of employees have at least ten logins, but only 34% have at least ten unique logins
  • 45% of employees receive no cybersecurity training from their employers

Cybersecurity staff awareness training

The best way to mitigate security pitfalls from employees is to increase cybersecurity staff awareness training. Training will make sure your employees are fully aware of the security threats they face, and can act quickly and instinctively to phishing campaigns, spam emails, malicious websites, suspect removable devices, and the like.

If you’re concerned about your organization’s susceptibility to insider security threats, you need to ensure that everyone in the organization behaves responsibly. IT Governance’s Information Security & ISO 27001 Staff Awareness E-learning Course enables employees to gain a better understanding of information security risks and compliance requirements in line with ISO 27001, the international standard for information security.