The ubiquity of concerted campaigns through phishing and various other methods of malware deployment have led to individuals, small and midsized businesses (SMBs), and the largest companies worldwide to deal with the brutal impact of a data breach on daily operations. This pervasiveness is understood to occur due to the low-risk, high-reward ecosystem in which threat actors (TA) operate.
According to the FBI, reported cybercrimes have increased 300% since the beginning of the COVID-19 pandemic, and the average cost of data breaches was $4.24 million in 2021, representing a 10% increase compared to the previous year.
This article will address, within the existing regulations of the District of Columbia, what constitutes a breach, what data types they are, and the reporting obligations required to address the volume and impact of data breaches in Washington, D.C.
What is a data breach?
A data breach is the acquisition of digital personal information by unauthorized means. However, the issued guidance states there are limits to defining a breach, according to D.C.’s Office of the Attorney General (OAG).
For example, no breach is said to have occurred if it is determined by consulting the relevant authorities and parties that the unauthorized acquisition is unlikely to harm their customers. Those relevant parties include the D.C. OAG, the use of cyber insurance to contract a data privacy attorney and digital forensic investigation (DFIR), and a remediation firm to understand the scope of data accessed and potentially breached. The FBI may also become involved.
Another example where a breach is not defined as such is as a product of the DFIR investigation. In this situation, counsel will review to verify that the information was rendered secure by potential encryption or obfuscated enough it is unusable by the TA that acquired it.
What could lead to breach notification?
In D.C., leeched data that could lead to a need to notify users of a breach include:
First initial and last name
Social Security number
Driver’s license or District of Columbia identification number
Credit or debit card information
Account number, security/access code, or password governing access to financial data
Taxpayer identification number
Military ID number
Genetic information and DNA profiles
Health insurance information
Users should report potential breaches as soon as they are detected by emailing email@example.com and calling the OAG’s Office of Consumer Protection at 202-442-9828.
BinaryLab is a full-service, cybersecurity group comprised of two practices. BinaryResponse provides breach response — including incident containment, forensics, and restoration — and support. BinaryShield performs advisory services, such as regulatory compliance assessments, network audits, and enhancements based on industry best practices for our clients.
The two groups are complimentary and reflect BinaryLab’s technical ethos of creating risk profiles tailored to each client and providing defense-in-depth, proactive solutions to reduce a client’s threat surface, which may impact business operations.
BinaryLab is committed to protecting clients’ sensitive data by proactively addressing security concerns, as well as providing relevant and timely security expertise. For an assessment or more information, contact BinaryLab at 301-337-3131.
About the author
Sergio OrellanaChief Cybersecurity Director
Sergio Orellana is the Chief Cybersecurity Officer of BinaryLab and leads the creation and delivery of enterprise-class cybersecurity and compliance solutions. He is a breach response expert with more than a decade of experience working on large and complex security incidents and investigations.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Analytics" category .
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
The cookie is set by the GDPR Cookie Consent plugin to record the user consent for the cookies in the category "Functional".
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Necessary" category .
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Others".
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Performance".
This cookie is set by Wufoo for load balancing, site traffic and preventing site abuse.
This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
Set by Google to distinguish users.
Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.