What is the legal definition of a breach?

The legal definition varies by regulation. GDPR Article 4(12) defines a personal data breach as a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to personal data. HIPAA, state laws, and PCI DSS have their own definitions.

Is every cyber incident a breach?

No. Many cyber incidents do not meet the legal definition of a breach because no personal data was accessed, or because the data was encrypted, or because the risk-assessment threshold was not met. The legal definition is narrower than the technical use.

Why do legal and technical definitions of breach differ?

Legal definitions are designed to trigger notification obligations and tend to focus on personal data, encryption status, and risk thresholds. Technical definitions describe system state and adversary actions and are not tied to legal categories. Conflating them can produce false claims in either direction.

Who determines whether a breach occurred?

Legal counsel makes the breach determination based on the facts established by the forensic investigation and the applicable legal definition. The CISO and technical responders provide the facts; counsel applies the legal test.

Breach - Legal Definition vs Technical Event

Q: What language should we use internally during an incident?

Use 'incident,' 'intrusion,' 'unauthorized access,' or 'data exposure' internally and reserve 'breach' for the determination that the legal threshold has been met. This protects against later use of imprecise internal communications as evidence of an unreported breach.

In cyber incident response, the word breach has different meanings in legal, regulatory, and technical contexts. The legal definition is narrower than the technical use and is what triggers notification obligations to regulators and individuals. Confusing the two terms during an incident can produce false statements with severe consequences; mature programs use precise language from the first internal communication.

Source: GDPR Article 4(12); HIPAA 45 CFR 164.402; representative state laws including California Civil Code 1798.82, New York General Business Law 899-aa.

Key Legal Definitions

GDPR Article 4(12) "personal data breach": a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data
HIPAA 45 CFR 164.402 "breach": the acquisition, access, use, or disclosure of protected health information in a manner not permitted under the Privacy Rule, with a four-factor risk assessment to determine if notification is required
State breach notification laws: typically require unauthorized acquisition (or in some states, access) of unencrypted personally identifiable information, with state-specific definitions and notification thresholds
PCI DSS "compromise": confirmed or suspected unauthorized access to or disclosure of cardholder data

Technical vs Legal Use

Technical responders use "breach" loosely to mean any unauthorized access or successful intrusion. Legal and regulatory definitions are more specific and often add elements such as access to particular data categories, lack of encryption, risk of harm, or notification thresholds. An intrusion that compromises systems but does not result in personal data exposure may not be a "breach" under GDPR, HIPAA, or state law, even though responders correctly describe it as such internally.

Why the Distinction Matters

Internal documents using "breach" loosely can be cited later as evidence that the company concluded a notifiable breach occurred and then failed to notify. Conversely, refusing to use "breach" when the legal definition is met can be evidence of bad faith. Mature programs use terms such as "incident," "intrusion," "unauthorized access," or "data exposure" internally and reserve "breach" for the determination that the legal threshold has been met.

Track breach determinations defensibly

IR-OS captures the legal-definition breach determination process, evidence, and timing in a record ready for regulators and counsel.

Start free

Breach - Legal Definition vs Technical Event

Key Legal Definitions

Technical vs Legal Use

Why the Distinction Matters

Related Terms

Track breach determinations defensibly