Where does a “good POC” stop and a “notifiable data breach” begin?

Here’s a curly one…

Regulations and schemes which require mandatory data breach notification have popped up a lot in recent years e.g.

• the CCPA in California,
• Article 33 of the GDPR, and
• the Notifiable Data Breaches Scheme in Australia.

Folks who do security research and reporting understand that demonstrating at least some amount of practical impact is often an essential part of ensuring the recipient understands the problem and takes it seriously - especially when there isn’t a mature vulnerability intake and handling process in place.

The challenge I’m getting at here is that this threshold is usually pretty obvious to experienced security people (e.g. 1 record isn’t enough, 20 gets the point across, 57 million isn’t fooling anyone) but not always… and it definitely isn’t obvious to lawmakers, regulators, and so on.

So, I’m curious to know how people think about the threshold between “a POC which adequately demonstrates the vulnerability” and “a notifiable data breach”. Is there a semi-arbitrary that we could land on here as a recommendation? Would that be the same for all types of data/attacks? Is there a better solution? Is anyone else working on removing the ambiguity (and associated anxiety and chilling effect) here?

I don’t think there will ever be a definable rule for this because the ways in which data can be breached are too dynamic, and many of the methods would not allow an easy way to limit the amount of records that you pull.

For example, what if a security researcher finds a backup .sql file with 52 million records in it? The only way to check what’s inside would be to download the whole file, which contains 52 million records.

Unfortunately I think it will always need to be one of those things that comes down to subjective judgment calls.