Data Breach: Why We Need a Scale

Data breaches are becoming much more common. Most states have laws mandating the public disclosure of data breaches where personally identifiable information (PII) is at risk. Cyberinsurance policies even cover data breach costs. However, not all data breaches are the same. We need a data breach scale. Here's why...

by / June 21, 2015


“We have a confirmed data breach.” Those are the words that no security or technology professional wants to hear.

Almost everything we do in our enterprise security programs as leaders, or consultants, or programmers, or analysts, or ethical hackers, or trainers or company business executives or (fill in the blank with another role including end users) is intended to prevent the moment when those words are said.

If you’ve ever been the person accountable for security and heard those words spoken, you know that terrible sinking feeling.

For others, think of how you would feel if you heard a doctor tell you that your tests came back positive and you do, indeed, have cancer.

But here's a reality check to remember: Data breaches happen more often than most people realize. John Chambers, the CEO at Cisco, reportedly said, “There are only two kinds of companies. Those that were hacked and those that don’t yet know they were hacked.”

Nevertheless, despite the bad news, not all data breaches have equal impact and ramifications.

All Data Breaches Are Not Created Equal

Back when I was the Michigan Chief Security Officer a few years ago, I got a call from another state technology leader who wanted a listening ear and some advice for the future. He’d just been interviewed by a local news reporter who asked him several questions on cybersecurity.

The reporter was friendly and helpful, but he was seeking reassurance that the state’s citizen data was being safely and adequately protected. He was looking for a feel-good story with the basic message “everything is fine here.” Since this was shortly after South Carolina’s data breach of more than 3.6 million records, my friend was especially concerned with his answer to one simple question: “Has our state experienced a data breach?”

Feeling caught off guard on this question, he said, “I am not at liberty to discuss this topic.” The truth is that his government had experienced a (very small) security breach in one department several months earlier, but he certainly didn’t want to talk about it to the press. No one wants to be in the headlines for an accidental news story that reflects badly on his/her public- or private-sector organization.

Since most states have breach notification laws, the reporter was clearly expecting a transparent yes or no answer — followed by a discussion of any relevant “yes” details. Since this reporter was trying to write a supportive story, he was surprised by the answer. Needless to say, the reporter’s reaction spooked my friend, leading to the phone call to me.

There Are Many “Minor” Data Breach Stories

In reality, I think this situation is a fairly common dilemma that security and technology professionals face. Of course, no one, including my friend, wants to lie. Furthermore, very few can say an unequivocal “no breaches,” without adding some caveat, such as “that I am aware of” or more likely “we’ve had no major breaches.” Still, who wants to explain the difference between major and minor breaches? 

Digging even deeper, answering the breach question often gets somewhat complicated. Explaining a “minor breach” is a bit like telling your spouse you have easily treatable cancer. No one likes hearing the word “cancer” — even if the odds are good for a full recovery. Allow me to explain with a “very minor breach” story from Michigan government.

Once upon a time, Michigan government had a vendor who won a small contract award. The award announcement was supposed to be placed on a purchasing Web page in a secured area where only authorized vendors can gain access. However, the award announcement was mistakenly placed on a public-facing website. Since this contract was awarded to a sole proprietor, the company identification number listed was also that person’s Social Security number. Bottom line: This sensitive data was temporarily available to the public for more than 24 hours until the error was discovered and fixed.

In simple terms, we experienced a (very minor) data breach of one person’s sensitive information. In keeping with Michigan notification laws and internal government processes, the person was notified and the appropriate follow-up actions, such as issuing free identity theft protection, were taken.

While this type of internal error leading to a breach is rare, I believe that very small data breaches do occur in business offices more often than people realize. In the vast majority of cases, appropriate actions are taken to safeguard consumers and lessons are learned by staff regarding how to prevent future mistakes.

Are Breaches Inevitable?

So are some data breaches inevitable? Probably. But we can certainly reduce the risk of breaches through effective training of end users and technical staff, better coordination and information sharing and improving our overall cyberdefenses.

Of course, minor breaches regarding a few sensitive records are very different than major data breaches involving thousands or even millions of records. The recent federal government data breach at the U.S. Office of Personnel Management (OPM) has again raised this issue to the forefront.

In the black-and-white world of the reporter’s simple question, I would acknowledge that Michigan did experience a minor data breach of sensitive data for one individual. So what did I tell my friend? How would I answer that reporter’s question?

“Yes, we have had a very minor data breach in Michigan that was the result of internal administrative errors. Nevertheless, we’ve never experienced anything close to the scale of Utah or South Carolina or Sony so far.”

I would explain our organization’s cybersecurity plans, our data encryption, our actions to date and how seriously we take cybersecurity. And, hopefully, my words don’t make the headlines.

The Time Has Come for a New Data Breach Scale

Which brings me back to the original topic -- and next steps. I posted an earlier version of this blog on LinkedIn – and Venturebeat also ran the story. Many comments and other stories flowed from this topic, such as this piece in April 2015 from Meghan Carter at Everbridge and an article by Troy Hunt called “Security Sense: Hacking ain’t hacking” by Windows IT Pro.

And the verdict is in. Almost everyone agrees, we need a new data breach scale. I have heard from dozens of colleagues all over the nation, cyberinsurance companies, law enforcement organizations, government entities, nonprofit entities and standards bodies, institutes, university faculty and others. No one thinks this is a bad idea. Sure, there are many opinions on what should or shouldn’t be included, the timeliness of data available, the challenges this will face to get public acceptance and opinions differ on who should lead the effort.

At this point, I am convinced that the time has come for a data breach scale. Communication to internal staff, partners and the public is always the hardest part of incident response, so this new tool will certainly help deliver articulate information more clearly to data owners and stakeholders.

Questions abound. Who decides if a breach is minor or major? There are many “what, when, where and how” questions to be answered. 

The scale could be like the Richter scale for earthquakes or the measurements for various stages of cancer or perhaps the different levels that weather forecasters use to describe tornadoes. The purpose is to describe more clearly the different types and scale of data breaches (or even perhaps other types of cyber incidents) such as denial of service attacks or destruction.

(It must be noted that even one person, who's data was accessed for unauthorized purposes, has a right to know what happened and doesn't think that breach is 'minor' if it involves their records -- no matter how many others are involved.)

What I know for sure is that not all data breaches are created equal. The breadth and depth of the recent OPM hack just underline the need for the breach scale. I have even heard that several organizations have begun working on this effort.  

Stayed tuned for more details in the coming months. Meanwhile, what is your view? Do you agree that we need a new data breach scale?

Dan Lohrmann Chief Security Officer & Chief Strategist at Security Mentor Inc.

Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.

During his distinguished career, he has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 to August 2014, including enterprisewide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.

He currently serves as the Chief Security Officer (CSO) and Chief Strategist for Security Mentor Inc. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors. He has advised senior leaders at the White House, National Governors Association (NGA), National Association of State CIOs (NASCIO), U.S. Department of Homeland Security (DHS), federal, state and local government agencies, Fortune 500 companies, small businesses and nonprofit institutions.

He has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US/UK military facility.

Lohrmann is the author of two books: Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD for You: The Guide to Bring Your Own Device to Work. He has been a keynote speaker at global security and technology conferences from South Africa to Dubai and from Washington, D.C., to Moscow.

He holds a master's degree in computer science (CS) from Johns Hopkins University in Baltimore, and a bachelor's degree in CS from Valparaiso University in Indiana.

Follow Lohrmann on Twitter at: @govcso