Welcome to ITS! Learn more about our strategic partnership with Digital Seattle!

Mark Sheldon Villanueva

By: Mark Sheldon Villanueva on October 27th, 2022

Print/Save as PDF

Security Incident or Data Breach: What’s the Difference?


So you just experienced a cyber attack, and your team was able to contain it. However, you realized that some of your data were stolen upon closer investigation.  

Did you experience a security incident, or was it a security breach? 

If you don't know the difference, we don't blame you. A lot of the information you can find online often uses the terms interchangeably. On the other hand, industry experts say there's a clear distinction and that it's important you know it. 

Incident and Breach written on a chalkboard

It might seem like a minor thing, but both "incident" and "breach" carry weight in the world of cybersecurity. Using the wrong one to describe your circumstance could lead to difficult consequences. It can hurt your reputation with clients and customers or impact your compliance with national and international regulations, both of which are major headaches you can avoid just by using the correct terminology. 

Intelligent Technical Solutions (ITS) is a security-focused IT support company with years of experience helping businesses navigate and understand cybersecurity issues. In this article, we'll draw the line between a security incident and a security breach to help minimize the confusion and dive into why it matters. 

Security Incident vs. Security Breach 

Before we go in-depth into the differences between an incident and a breach, we must first understand the definition of each term. 

To help with that, let's look at how Verizon defines both terms in its Data Breach Investigations Reports: 

  • Incident: A security event that compromises the integrity, confidentiality, or availability of an information asset 
  • Breach: An incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party 

With that definition, you can tell that while a breach can be described as an incident, not all incidents can be described as a breach. That's an important distinction. 

"When we use the word breach, that has a connotation to it, and that really elevates the level of severity of whatever the thing is," Says Rob Schenk, Chief Experience Officer of ITS.

He further adds that using the word breach "sets off a lot of alarm bells," as it signifies that there's been a serious incursion. 

In the most basic sense, a security breach is any security incident that has been escalated to a higher level of severity. It's an event that you likely can't brush off and sweep under the rug. 

When is a Security Incident a Breach? 

Now that you know that breaches are classified as more severe, let's dive into what qualifies an incident to be escalated into a breach. 

The fundamental difference between the two is what happens after an incident occurs. If your organization complies with any industry regulations, you likely have to follow specific protocols when a breach happens. That could include contacting affected individuals, regulatory agencies, credit reporting agencies, and sometimes, even the media. 

questions to ask yourself to know if an incident is a breach

Schenk says you will know that an incident is potentially a breach when the situation requires you to deal with entities like forensics investigators, legal teams, regulators, or even your insurance company. That means you should be very careful in labeling any incident as a breach, as it can become an expensive issue. It could also cause irreparable damage to your reputation or impact on your regulatory compliance. 

To help you determine how an incident can be classified as a breach, ask yourself the following questions: 

What data was compromised? 

Some information is protected and regulated. For example, under the Health Insurance Privacy and Accountability Act (HIPAA), sensitive patient health information is protected from being disclosed without the patient's consent or knowledge. That means if you keep protected information and it was compromised, you have a potential breach in your hands. 

Who tried to gain access? 

Some entities have legal protection to access sensitive data. However, once it is determined in the investigation that the individual who accessed the information has a potential motivation to abuse it, it could be classified as a breach. 

Did the attacker gain access to the data? 

If an attacker could access or view protected information in any way, that could escalate an incident into a breach. This could be determined through a forensic investigation. 

How was the incident mitigated? 

How well you mitigate a breach may impact how it's classified later on. If you can halt an attack swiftly, retrieve lost data, or ensure that stolen data is destroyed, the situation can be labeled an incident rather than a breach.   

New call-to-action

Why is it Important to Know the Difference? 

Differentiating words to describe an event might seem trivial, but that's only because you likely haven't experienced a full-on breach – yet. The fact is, it's a near certainty that your business will experience security events in the foreseeable future. When they do happen, you will need to know what to label the occurrence because that will help inform your team of the following: 

  • Which departments should get involved 
  • What actions should you take 
  • How to resolve or mitigate the impacts of the event 
  • Whether you are legally required to notify certain entities and individuals 
  • Who to notify, when to notify, and how to notify involved parties   

That information will dictate your team's incident response, which will help you minimize the financial, regulatory, and reputational risks to you and your company. 

Incident response plan

For example, if you label an incident as a breach, there's a chance you will be legally compelled to announce the event publicly. 

"You might have to put your name on a website and say that ‘our company was breached,’ and here's what you did to mitigate and change things and prevent it in the future," Schenk said.

Unfortunately, that will have some serious ramifications down the line, like reputational damage and compliance issues. 

"So, we [want to] keep it as a security incident for as long as possible until there's no other way because a breach means lawyers, it means insurance, and it means the FBI," he added. 

Ready to Protect Yourself Against Data Breaches? 

Labeling whether a security event is an incident or a breach might seem semantic, but both terms carry weight when it refers to cybersecurity. An incident is a precursor to a breach and refers to any activity that compromises your security. On the other hand, a breach is any case where protected data is confirmed to have been accessed by individuals motivated to abuse the information. 

In other words, it's important to remember that it's in your best interest to use the term breach sparingly and only when you have no other choice. That's because it could impact your company's reputation and cause issues with compliance. 

At ITS, we are dedicated to providing businesses with advanced cybersecurity solutions that can help protect against security incidents and data breaches. Learn everything you need to know about data breaches when you download our eBook: Data Breaches: A Definitive Guide for Business Owners. 

New call-to-action