Data breach vs Data Spillage: What’s the difference?

on 23 Feb 2021 | by Simon Chadwick

Audio-only social network Clubhouse has confirmed that there was an unauthorised transfer of data from its platform on 21st February. Curiously, the company chose to refer to this as a "data spill", rather than a "data breach". So, you may be wondering, is there a difference between the two? Well, the answer is a little complicated, as we’ll see now.

On the face of it, the central factor is intent. Simply, a "data breach" is said to be when data is taken deliberately, while a "data spill" is when data is accidentally shared, kind of like the distinction between murder and manslaughter. In the case of Clubhouse, users are able to have audio conversations via a secure line (and if you’re wondering how that’s different from a telephone, we don’t have an answer for you) without being streamed to a different platform. However, somebody apparently worked out how to do this anyway, which violated the terms of use, and amounted to an unauthorised sharing of data.

The BBC article about the story claims the following:

"A "data spillage" is different to a "data breach", in that data breaches are deliberate and usually carried out by someone hacking into a system to steal data. A data spillage, on the other hand, is an incident whereby confidential information is released into an environment that is not authorised to have access to the information."

So, the distinction is clear.

Or is it?

The first point to raise is that in both cases, the risk is the same. Data spills may sound less worrying that data breaches because they’re accidents, but the meltdown at Chernobyl was an accident, so don’t be lulled into a false sense of security about it just because it wasn’t malicious. When your personal data is lost, the threat is still high. It’s the difference between somebody burning down your house deliberately, or a stray firework flying through the window and the whole place goes up. Either way, you end up homeless.

Furthermore, the rules of GDPR are quite clear that the method by which data is lost does not matter. In fact, this is how a data breach is defined in legislation:

"A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data."

Not only is "accidental" included in the definition of data breach, but it is actually the very first adjective used. So, what we see here is that the distinction is non-existent from a legal point of view. It’s only really useful for cyber experts investigating data breaches, and for PR departments in companies trying to gloss over the fact that they’ve screwed up. At the end of the day, if your data’s been lost, it doesn’t matter what they call it – you may still be able to make a claim.

23/10/2021 04:59:53