Mark Rasch raises an important issue — the risks of reporting a breach that you may not need to report. Using the Blackbaud incident as his starting point, he writes:
In May, cloud provider Blackbaud was the victim of a ransomware attack designed to lock it out of accessing its own data and servers. The company notified law enforcement, used its own cybersecurity team and hired outside consultants, and successfully prevented the attacker from blocking access to the system and “fully encrypting” the files—ultimately expelling the threat actor from its system. Blackbaud noted that the hacker had “removed a copy of a subset of data from our self-hosted environment” but that “[t]he cybercriminal did not access credit card information, bank account information, or Social Security numbers.”
In the case of Blackbaud, similar to the case of Uber, the company decided to pay the hackers. While it does not appear that the company paid the hackers for their silence, Blackbaud “paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed,” and the company noted that, based on its investigation and that of law enforcement and the nature of the incident, “we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly …”
In short, the company suffered a ransomware attack that included a partial data breach (breach of a subset of its data). Blackbaud recovered from the ransomware, secured the data and had reasonable assurance (not sure how) that the data, while breached in the sense that there was “unauthorized access” to the data, was not used or transmitted to anyone else and was destroyed.
Under these circumstances, a data breach disclosure to customers and to various Attorneys General is probably both legally required and unnecessary. Indeed, Blackbaud did make such a breach disclosure. In return, the company was sued in a class action filed on behalf of its customers.
Read more on Security Boulevard.