By Patrick Wragg on April 14, 2021

Is It an Incident or a Breach? Defining the Difference

Managed Security Services, Breaches, Alerts & Advisories, Incident Response

In 2020, the average cost of a single data breach rose in all industries worldwide to nearly 4 million USD. These breaches were especially costly in the healthcare sector, where costs soared to an average of 7.13 million USD, with energy and financial industries following closely behind at $6 million. 


The growing risk from cyber crime

Cybercriminals — and their attacks — are getting more and more sophisticated, and as a result, digital attacks are on the rise.  

As these risks increase, so too does the rise in spending on cybersecurity. In fact, the global annual costs for cybersecurity climbed from 75.6 billion USD in 2015 to 124 billion USD in 2019 — nearly double the spending in a mere four years.  

But not every time your enterprise is compromised can it be considered a breach. While some in the industry use the terms “breach” and “incident” interchangeably, there are some notable differences between the two concepts.  

So, what is a breach, and what is an incident? How are they impacting organisations across the globe? And how should each be handled to mitigate the risks? 

In Verizon’s 2020 Data Breach Investigations Report (DBIR), they outlined the differences between these two ideas. Here’s a look at what industry professionals are saying about incidents and data breaches.  

Integrity360 Incident Response eBook

Incidents and Breaches: The Definitions 

Before taking an in-depth look at breaches and incidents, it’s important to understand what each refers to. Verizon has very clear-cut definitions for incidents and data breaches

  • Incident: A security event that compromises the integrity, confidentiality, or availability of an information asset.  
  • Data Breach: An incident that results in the confirmed disclosure — not just potential exposure — of data to an unauthorised party. 

It’s important to note here that the word incident is used in the definition of a data breach. This is because while all data breaches are definitely incidents, not all incidents are data breaches.  

Two Kinds of Incidents 

An incident is a blanket statement used to describe many different things. Incidents can be broken down into two categories

  • Security Incident: A security incident is an event that violates an organisation’s security policies and its procedures. 
  • Privacy Incident: A privacy incident is a bit more serious. It refers to the disclosure of regulated data, like someone’s personally identifiable information or protected health information, thus violating the Department of Homeland Security’s policies and procedures. 

About Events 

Before going further, it’s important to note that there is another category altogether: events

The National Institute of Standards and Technology defines events as “any observable occurrence[s] in a system or network.” This includes things like a server receiving a request for a web page, someone in your network sending an email, or a firewall blocking an outsider attempting to make a connection. 

Some of these events can have negative consequences, like unauthorised access to sensitive data or the implementation of malware that destroys data.  

If these categories are broken into tiers, we can rank them in order of increasing severity: 

  1. An event 
  2. A security incident 
  3. A privacy incident 
  4. A data breach 

The International Association of Privacy Professionals (IAPP) uses Verizon’s DBIR definition to help determine the difference between an incident and a breach.  

According to their interpretation, a security incident is an event like a malware attack that puts sensitive data at risk for exposure outside of authorization. This refers to any kind of data, including regulated data like financial and medical information, and unregulated data, including intellectual property. It may refer to the unauthorised use or disclosure of regulated data.  

On the other hand, a data breach is an escalation of a privacy incident. Data breaches must be reported to any affected individuals, regulatory agencies, and occasionally to credit reporting agencies and the media.  

When Is an Incident a Breach? 

Since breaches refer specifically to occasions where an incident leads to the unauthorised access to and acquisition of protected and regulated data, it’s helpful to fully understand what qualifies some incidents and breaches.  

So the real difference between the two? It has to do with what happens to the data. Because organisations have to follow very specific protocol when a breach occurs — including contacting individuals and even sometimes the media — these entities should be very careful about labelling an incident as a breach before conducting a thorough investigation. 

For example, under the Health Insurance Privacy and Accountability Act (HIPAA), saying that information was breached is legally not the same thing as saying that information was breached. A full investigation can help organisations reach a real, legal conclusion, and only then should these organisations label a particular qualifying incident as a breach.  

When it comes to categorising an incident as a breach, there are four factors

  • The identifiability of the information: Can an outsider determine to whom the information pertains? Some information may be protected or regulated, but it may not be attached to specific individuals. It may also relate to just how sensitive the data is. 
  • The recipient of the information: Who accessed this information? Did someone who has legal protections get it, or perhaps another covered entity or business associate? This is very different from an instance where regulated data goes to someone else who has a potential motivation to abuse the information. 
  • Whether or not the information was accessed: Did the involved party actually access or view the information? Any available forensic evidence may tell you if the information was compromised in this way. 
  • The mitigation steps after the discovery of the incident: Were you able to stop the compromise? If an organisation was able to get the information back or receive assurance that it was destroyed, this may impact an incident’s qualification as a breach or not. 

Regulatory Issues and Cybersecurity Incidents 

The damage of a cybersecurity incident or data breach is more than just the cost or the blow to your reputation; in many instances, it can also impact your compliance with national and international regulations. Understanding the difference between an incident and a breach matters in these situations, as there can be regulatory consequences. 

An example of this? The General Data Protection Regulation (GDPR) requires involved organisations to act transparently when it comes to security. As such, if a GDPR inspector suspects that an organisation has attempted to downplay the severity of a data breach, it could be held against that organisation. 

Those who have concerns about whether or not they’ve suffered a breach, or if an event qualifies as an incident or a breach, should implement some kind of incident response service. This can help spot and address threats quickly and give organisations the information they need to understand when and how the incident started as well as how to minimise the overall effect of the incident. 

Another benefit to having an incident response plan? It’s definitely helpful in reacting to security incidents, but it’s also helpful in preventing similar mistakes from happening again in the future. With an incident response plan or system in place, you can log security events and responses and build on your existing knowledge to help prevent similar issues from popping up in the future. 

Have an Incident Response Team on Your Side 

Businesses must be able to respond to a cyberattack whether it qualifies as an incident or a breach, which is where an incident response team can make all the difference. This can help avoid the three negative impacts of these happenings: 

  • Reputational risk 
  • Legal risk 
  • Financial risk 

At Integrity360, our Cyber Incident Response Team (CIRT) is always there for you, working 24/7/365 to recognise and contain any threats as they happen. This helps to reduce the amount of time it takes to respond and can potentially minimise the impact — sometimes even keeping an incident from developing into a breach.  

We use a wide array of advanced technologies and experienced specialists to deliver an unbeatable incident response service, helping you respond to suspected security incidents in a timely manner.  

No matter if it’s an incident or a breach, our highly skilled team delivers fast responses thanks to our broad skill set. If you’re ready to minimise risk and identify incidents before they develop into larger issues, perhaps it’s time we talked. Contact us today to learn more about our incident response services.

This blog and its content are provided as a general guide to the subject matter. You should always seek specialist advice about your specific situation.


Sign up to receive the latest insights

Join our cyber security community to stay up to date with the latest news, insights, threat intel and more right in your inbox.  All you have to do is choose how often.