Recently one of our clients got a system infected with a virus and worried about whether or not they needed to report it. First, it IS possible to get a virus even though you're doing everything right, such as maintaining up-to-date anti virus protection, firewall protection, and security patch updates. But in most cases, although viruses can create a lot of damage and disruption, no data is exposed to the wrong hands.
The Massachusetts Data Protection Law and many industry-specific standards such as HIPAA have rules regarding breach disclosure requirements. To gain more insight into what actually constitutes a breach, here is a definition of a breach from the HHS.gov website (Health and Human Services). In this case, the language specifically relates to protected health information, but similar guidelines can be used ot understand other protected information.
“Definition of Breach
A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- Whether the protected health information was actually acquired or viewed; and
- The extent to which the risk to the protected health information has been mitigated.”
In some cases, viruses can introduce key-logging software that could lead to a breach, but in general there is no “use or disclosure”. The damage done by a virus may be thought of as analogous to someone physically damaging your computer with a hammer. It's damaged, and harm was done, but no information was disclosed - more of an act of vandalism as compared to theft.
We strongly advise all clients to keep up to date with security training and make sure all employees understand the need for maintaining up to date security protection.