5. What type of information did the threat actors steal?
Now it's time to find out just what was accessed or stolen, says FireEye Mandiant's Carmakal. If it's personally identifiable information (PII) - such as Social Security numbers, credit card information or protected health data - all of that must be reported to the impacted individuals, which often leads to public disclosures.
In fact, Carmakal says the terms "data breach" and "security incident" are often used interchangeably, but they are not the same. He says the common legal interpretation of a data breach is the unauthorized access or theft of sensitive information. A security incident might occur in which no sensitive data is accessed or stolen at all. Or, if the data breach only affected the business' own intellectual property, but not PII, it might not trigger data breach disclosure obligations.
Image Source: Adobe Stock: leowolfert