What is a Data Breach
61% of Breaches Hit Small Businesses in 2017
Most states and federal law generally define a data breach as the loss of or unauthorized access to an individual's personal, sensitive information. Small businesses are particularly vulnerable because they don't have the resources or don't believe they will be a target.
The technical definition of a data breach varies between federal and state laws, and state to state, but in general, a data breach is the unauthorized acquisition or access of unencrypted personal information by an individual. This could result if the information systems are hacked, or the personal information is lost, such as in the case of a lost laptop. The kind of personal information that, if accessed or acquired, could trigger a breach includes a person's full name together with Social Security number, credit card number, or medical information.
There are different types of data breaches, including:
- PII breach: PII is Personal Identifiable Information, such as Social Security numbers, credit card information, date of birth, and even email addresses in some states. A PII breach is the unauthorized access to this data. This information can be found on your payroll records, employment applications, credit card numbers, and it could be at your accountant's office or your payroll company's office.
- PCI breach: The term PCI refers to the Payment Card Industry standards established by the credit card companies. A breach of payment card data includes information that is accepted, transmitted or stored as a result of any customer paying an organization directly using a credit card or debit card. All businesses that store, process, or transmit payment cardholder data must maintain a secure environment and take a number of other steps to be PCI Compliant. An unauthorized access or acquisition of this data likely constitutes a breach.
- HIPAA breach: The Health Insurance Portability and Accountability Act (HIPAA) defines a HIPAA breach as, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of protected health information. The law requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Common identifiers of health information include names, Social Security numbers, addresses and birth dates.