Tips, Tools and Checklists

Helpful tips to protect your privacy online.


Determining Whether There is a Data Breach

Tip Author: 
WIll Saunders, OPDP

Breaches are becoming more common because of the collection and storage of mass amounts of data. But how do you know if a breach occurred? What type of information is important and what actually constitutes a breach. This checklist provides an overview of what to look for and how to assess whether a breach occurred. Remember, you should always conduct a debriefing whenever you think a breach occurred.

  • Describe incident and nature of confidential information that was potentially compromised
  • Deduce whether the information was secured* (was the information encrypted or otherwise unusable, unreadable, or indecipherable to an unauthorized individual?)
    • Note: Secured means encrypted in a manner that meets or exceeds the National institute of Standards and Technology (NIST) standard or is otherwise modified so that the Personal Information (PI) is rendered unreadable, unstable, or undecipherable by an unauthorized person. If you do not know if the information was secured by NIST standards, contact your Administration’s IT Security Administrator.
  • Determine whether the information is personal information?
    • Note: PI means an individual’s first name or first initial and last name in a combination with any one or more of the following: Social security number; Driver’s license number or Washington identification card number; or Full account number, credit or debit card number or any required security code, access code, or password that would permit access to an individual’s financial account.
    • If No, then notification is NOT required. Further response and completion of risk assessment is optional with program. End process and conduct debriefing.
    • If Yes, please continue with the process below.
  • Determine to whom the disclosure of Personal information was made (i.e. was it made to an authorized person, unauthorized person etc.) and whether that person would not reasonably be able to retain the information?
    • If made to an authorized person, who could not reasonably be able to retain the information, then not a breach, tender an explanation. End process and conduct debriefing.
    • If Unknown: Continue with process below.
    • If not made to an authorized person or the person could reasonably retain the information, then continue with process below
  • Determine whether the acquisition, access or use of the PI, was used by or for any or all of the factors below
    • Factors:
      • By an employee or contractor to an employee or contractor;
      • Unintentional;
      • Made in good faith and within the scope of authority; AND
      • With no further unauthorized use or disclosure.
    • If you said yes to all four of the factors then the incident is not a breach. You do not need to continue with the assessment but must conduct a debriefing.
    • If you said no to any of the factors then you must continue to assess the extent of the breach
  • Determine whether disclosure of the PI was: (Check all that apply):
    • Factors:
      • Inadvertent;
      • By an employee or contractor who is authorized to access PI;
      • To another employee or contractor authorized to access PI; AND
      • With no further unauthorized use or disclosure
    • By affirmatively answering all four of the above factors then a breach did NOT occur. You do not need to continue with the risk assessment but must conduct a debriefing.
    • No, if all four factors did not apply then please use Risk Assessment Checklist to evaluate the risk incurred by the breach.
Tip Theme: 
So You've Been Hacked - How to Recover?
Tip Confidence: 

© Copyright 2018 Washington State Office of Privacy & Data Protection   |   Request Records  |   Accessibility