Privacy Ref Blog

All Steamed Up

Earlier this month, Valve experienced an issue with data caching and what some call a data breach.  Valve is a gaming company famous for many titles, but also for their virtual storefront, Steam.  The short story is that Valve’s virtual storefront, known as Steam, had a glitch that allowed someone logged in to potentially see another user’s personal information.  The personal information included names, digital identities, emails, and possibly credit card information.  For a more complete summary, check out this video.

Some people are saying that this is not a data breach.  In fact, a lot of people on Twitter were on both sides of the argument, it was or was not a breach.  So I thought this would be a good time to explain when a data breach occurs and also find out why so little has been said by Valve.

Was This a Breach?

If you go online and look up “definition of data breach,” you get this explanation from techtarget.com:

                “data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property.”

That is pretty straight forward, but now we have to figure out what Personally Identifiable Information (PII) is.  The International Association of Privacy Professionals defines PII, otherwise referred to as Personal Information, as follows:

“Personal information can include name, age, gender, street address, email address, social security number (national identity number) and/or telephone number. This information can exist in many forms (electronic or hard document as two examples) and may be managed or stored according to one or more general classifications.”  (Information Privacy Official Reference for the Certified Information Privacy Professional, pg 7)

Legally, the definition of PII varies depending on the jurisdiction.  Steam is one of the biggest virtual storefronts for videogames and other software.  It is used by individuals around the globe.  Some things that are generally considered PII were exposed by Valve; full names, credit card numbers, and digital identities (like a username) are all considered PII in most jurisdictions.  Now, that is not to say every jurisdiction includes those items, but most do, and that means a breach, as legally defined, occurred in those areas.  This is probably why Valve has been so quiet on the matter, only saying they fixed the root cause.

Have a Better Game Plan

The first step in dealing with a data breach is to determine whether it actually happened.  Then you are supposed to close off the source of the breach or “stop the bleeding”.  After that communication is the key to successful breach handling; communication with customers, employees, law enforcement, regulators, company stakeholders, and the media to name a few.

Valve and their privacy team are most likely (hopefully?) looking at what they need to do next, determining what parties need to be contacted, if any.  The issue here is that they have been quiet on the matter.  A lack of information can set your customers (and law enforcement or regulators) on edge, especially when the customers are a technologically involved group like gamers.  Gamers are much more prone to checking online news outlets already, searching for game reviews or previews, and these same sites will carry news about the Steam situation.

Overall, this is still a very recent event.  Taking place right before Christmas, there is still some time to come before this case is closed completely.  If anything, the online reactions to this breach when compared to other recent breaches does illustrate how being open and honest can build trust with customers or how that trust may be tainted.

Privacy is about trust, and without it, your customers may become anxious about allowing you to handle their information.  Having a strong breach plan, knowing what information to share, and where and when to share it can keep your company on top in the event of a privacy event.

Privacy Ref provides consulting and assessment services to build and improve organizational privacy programs. For more information call Privacy Ref at (888) 470-1528 or email us at info@privacyref.com

Posted on January 4, 2016 by Ben Siegel


« »

No Responses

Comments are closed.


« »

Subscribe to our mailing list

Please fill out the form below.

Required

Want to find out more?

Simply go to the contact page, fill out the form, and someone from Privacy Ref will be in touch with you. You can also send an email to info@privacyref.com or call (888) 470-1528.

News

August 19, 2016

New Offering for Adaptive Privacy
Privacy Ref is now offering the Adaptive Privacy Office. This offering allows you to utilize the services you need to bring your program to the next level. Read more about the offering here.

Latest Blog Posts

July 25, 2016

Social Engineering is a Massive Problem
Recently, a large number of YouTubers and other celebrities have been “hacked” or lost control of their accounts.  The truth of the matter is that they aren’t being hacked, but instead the person taking control of these accounts is just having others do it for them.  The people and groups helping them are not who you think.  They are not hackers, black market data dealers, or even criminals, but they are customer service representatives and other professionals who are meant to protect your data. Continue reading this post...

May 25, 2016

Playing the Privacy Metagame
If you attended our most recent quarterly data breach review, you probably heard a new term: “metagame.”  The idea, put in its simplest form, is to take information from outside a scenario and use it to influence your choices.  It is amazing how using information that is not necessarily inside your environment can allow you to adjust and prepare for a lot of scenarios.  This in turn keeps you ahead of the game. Continue reading this post...

Other Recent Posts

PRIVACY REF