Broadly speaking, a security breach is a violation of any policy or law that is designed to secure something. When people or vehicles bypass screening checkpoints, or enter secure buildings without presenting the appropriate credentials, security breaches are generally obvious. Less obvious are security breaches that involve data or information. In a data context, a security breach is any activity that compromises the confidential nature of certain information.
Most of the time, what is or is not a security breach is defined by law. Statutes in many countries set out security measures for any number of things, from border crossings to data sharing and electronic commerce transactions. A breach is usually defined as any action, intentional or otherwise, that weakens a certain defined security interest.
The best-known security breaches typically cause some noticeable harm. An airport security breach that allows a passenger to board a plane with a weapon, or a data loss that leads to identity theft are clear examples. Under most security breach laws, however, harm is not always a requirement. The threat of harm, or likelihood of harm, is usually enough.
Security breach laws in most countries operate on a likelihood of harm basis both to create incentives for strong security practices and to punish bad actions without waiting to see if someone or something gets injured first. Although punishments for breaches can be strict under law, the overriding goal is usually safety. Particularly where data breaches and information security breaches are concerned, even a likelihood of harm is often enough to prompt major protective actions.
As more and more sensitive information is stored online, the chances of Internet security breach and computer security breach become increasingly real, and with it the chance of identity theft, serious financial loss, or other harm. The majority of data security laws require any entity that regularly collects or stores sensitive information to take certain precautions when it comes to securing that information. Most of the time, data must be protected with a series of passwords and electronic keys. Mobile data, particularly including data stored on employee laptops or other portable hardware, must usually be protected against inadvertent disclosure or data breach in case of loss or theft.
Laws are often further specialized by industry. Many countries have health data security laws that are different than laws governing financial information and the possibility of credit card security breach, for instance. Each country, and sometimes within each country, each state or province, has different laws and mandatory security policies. Most also have laws related to how impacted individuals must be notified in case their information has been part of a security breach. Patients whose files were inadvertently posted to the Internet, students whose academic records were hacked from a university database, and others whose information was in any way compromised are generally entitled to at least notification, if not also remuneration and restitution.
The differences between what laws require can make it difficult for companies operating in multiple jurisdictions to ensure that their security practices are universally compliant. As the laws change and evolve with technology, so must individual security procedures. Most of the time, companies employ compliance officers, lawyers, and data security analysts to oversee all data and other information exchanges and to ensure that all relevant security laws are being followed.
