Here’s a curly one…
Regulations and schemes which require mandatory data breach notification have popped up a lot in recent years e.g.
- the CCPA in California,
- Article 33 of the GDPR, and
- the Notifiable Data Breaches Scheme in Australia.
Folks who do security research and reporting understand that demonstrating at least some amount of practical impact is often an essential part of ensuring the recipient understands the problem and takes it seriously - especially when there isn’t a mature vulnerability intake and handling process in place.
The challenge I’m getting at here is that this threshold is usually pretty obvious to experienced security people (e.g. 1 record isn’t enough, 20 gets the point across, 57 million isn’t fooling anyone) but not always… and it definitely isn’t obvious to lawmakers, regulators, and so on.
So, I’m curious to know how people think about the threshold between “a POC which adequately demonstrates the vulnerability” and “a notifiable data breach”. Is there a semi-arbitrary that we could land on here as a recommendation? Would that be the same for all types of data/attacks? Is there a better solution? Is anyone else working on removing the ambiguity (and associated anxiety and chilling effect) here?