The ubiquity of concerted campaigns through phishing and various other methods of malware deployment have led to individuals, small and midsized businesses (SMBs), and the largest companies worldwide to deal with the brutal impact of a data breach on daily operations. This pervasiveness is understood to occur due to the low-risk, high-reward ecosystem in which threat actors (TA) operate.
According to the FBI, reported cybercrimes have increased 300% since the beginning of the COVID-19 pandemic, and the average cost of data breaches was $4.24 million in 2021, representing a 10% increase compared to the previous year.
This article will address, within the existing regulations of the District of Columbia, what constitutes a breach, what data types they are, and the reporting obligations required to address the volume and impact of data breaches in Washington, D.C.
What is a data breach?
A data breach is the acquisition of digital personal information by unauthorized means. However, the issued guidance states there are limits to defining a breach, according to D.C.’s Office of the Attorney General (OAG).
For example, no breach is said to have occurred if it is determined by consulting the relevant authorities and parties that the unauthorized acquisition is unlikely to harm their customers. Those relevant parties include the D.C. OAG, the use of cyber insurance to contract a data privacy attorney and digital forensic investigation (DFIR), and a remediation firm to understand the scope of data accessed and potentially breached. The FBI may also become involved.
Another example where a breach is not defined as such is as a product of the DFIR investigation. In this situation, counsel will review to verify that the information was rendered secure by potential encryption or obfuscated enough it is unusable by the TA that acquired it.
What could lead to breach notification?
In D.C., leeched data that could lead to a need to notify users of a breach include:
- First initial and last name
- Phone number
- Social Security number
- Driver’s license or District of Columbia identification number
- Credit or debit card information
- Account number, security/access code, or password governing access to financial data
- Passport number
- Taxpayer identification number
- Military ID number
- Medical information
- Biometric data
- Genetic information and DNA profiles
- Health insurance information
Users should report potential breaches as soon as they are detected by emailing firstname.lastname@example.org and calling the OAG’s Office of Consumer Protection at 202-442-9828.
BinaryLab is a full-service, cybersecurity group comprised of two practices. BinaryResponse provides breach response — including incident containment, forensics, and restoration — and support. BinaryShield performs advisory services, such as regulatory compliance assessments, network audits, and enhancements based on industry best practices for our clients.
The two groups are complimentary and reflect BinaryLab’s technical ethos of creating risk profiles tailored to each client and providing defense-in-depth, proactive solutions to reduce a client’s threat surface, which may impact business operations.
BinaryLab is committed to protecting clients’ sensitive data by proactively addressing security concerns, as well as providing relevant and timely security expertise. For an assessment or more information, contact BinaryLab at 301-337-3131.
About the author
Sergio Orellana is the Chief Cybersecurity Officer of BinaryLab and leads the creation and delivery of enterprise-class cybersecurity and compliance solutions. He is a breach response expert with more than a decade of experience working on large and complex security incidents and investigations.
Learn more about Sergio here.