Understanding Access vs. Acquisition - Dear Mary – Incidents + Investigations Cybersecurity Advice Column

Karla Ballesteros, Kaitlin Clemens, Samuel Fishel, Robyn Lin, Sadia Mirza, Stephen Piepgrass, Ronald Raether, Jr., John Sample, Whitney Shephard, Casselle Smith, Ashley Taylor Jr., Edgar Vargas, Daniel Waltz
Troutman Pepper
Contact
LinkedIn
Facebook
X
Send
Embed

Troutman Pepper

‘Dear Mary,’ is Troutman Pepper’s Incidents + Investigations team’s advice column. Here, you will find Mary’s answers to questions about anything and everything cyber-related – data breaches, forensic investigations, how to respond to regulators, and much more. ‘Dear Mary’ goes beyond our articles, podcasts, webinars, and other content we produce because here, we respond directly to your questions with concise, practical answers. We promise they will be interesting, informative, and hopefully a little fun.

Drop us a line with any cyber-related question you would like answered – whatever may keep you up at night – and we’ll do our very best to provide a practical, actionable answer. Of course, our answers will be somewhat general in nature and should not be considered legal advice – always consult with an attorney (preferably one of ours!) before acting on anything you read here.

Thank you for reading!

Dear Mary,

Each of the 50 states has its own definition of what constitutes a reportable data breach. For some, it requires “unauthorized access” to personal information. For others, it requires “unauthorized acquisition.” And then, some states have further qualifications to their definition, such as whether that unauthorized access or acquisition “compromises” or “materially compromises” the integrity, security, or confidentiality of the data. No states (apart from New York) define access or acquisition, and no state defines compromise vs. material compromise. How would you suggest analyzing all these varying terms?

– Patchwork


July 25, 2024

Dear Patchwork,

Excellent question. The first step is determining if there is “access” or “acquisition.” Let’s begin there.

The question of access versus acquisition focuses on how the threat actor interacted with the protected information.

Imagine a burglar enters your house, rifles through important documents on your desk, and reads them trying to find information they can steal. However, whether because of time constraints or lack of interest, after reading the documents, the burglar didn’t take them with him. This would be a form of “access.” The burglar gained access to the documents and viewed them, but never took them out of your house.

Now imagine a scenario where the burglar enters the house, and even if he didn’t rifle through the documents in your house, he threw them in a box and took them with him. He has removed the documents from your house. That’s a form of acquisition.

Now let’s apply this metaphor to a security incident. Let’s say there is evidence that a threat actor gained access to your system and clicked and opened a file. That would likely be a form of access. If a threat actor exfiltrated the files — meaning they copied, downloaded, or otherwise removed the information from your environment — that would be acquisition.

Your question about “compromise” or “material compromise” generally concerns the impact on the data from a security, confidentiality, or integrity standpoint. With some exceptions (e.g., where data may have been removed from the environment but remains unreadable), usually, if there is unauthorized access to or acquisition of data, it is considered compromised, whether “material” or not.

So, our next step is typically to see if the law allows for a risk of harm analysis, which focuses not on the impact to the data, but on the potential impact to the consumer. For example, is the consumer now at risk of identity theft or fraud?

It’s worth noting that some of the factors you may consider when evaluating the risk of harm to consumers are the same factors you would use to determine whether the security, confidentiality, or integrity of the data has been compromised. For instance, if the data was encrypted and the threat actor did not gain access to the decryption key, we might conclude that the confidentiality, security, or integrity of the data has not been compromised. Consequently, the incident is unlikely to result in harm to the consumer since the threat actor cannot view or use the data.

As you noted, many states don’t qualify what they consider to be access, acquisition, compromise, or even a material risk of harm. When in doubt, however, use the patchwork to your advantage (see what I did there?). Despite their differences, all these laws are grounded in the same fundamental principles and aim to protect consumers. Therefore, if one statute is silent on a particular issue, it may be reasonable to look to other laws or legal opinions for guidance. By doing so, you can draw on a broader range of interpretations and best practices to inform your approach and ensure compliance with the overarching goal of consumer protection.

Cheers,

Text Dear Mary in a black script font

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Troutman Pepper | Attorney Advertising

Written by:

Troutman Pepper
Troutman Pepper
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Troutman Pepper on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide