Privacy Ref Blog

All Steamed Up

Earlier this month, Valve experienced an issue with data caching and what some call a data breach.  Valve is a gaming company famous for many titles, but also for their virtual storefront, Steam.  The short story is that Valve’s virtual storefront, known as Steam, had a glitch that allowed someone logged in to potentially see another user’s personal information.  The personal information included names, digital identities, emails, and possibly credit card information.  For a more complete summary, check out this video.

Some people are saying that this is not a data breach.  In fact, a lot of people on Twitter were on both sides of the argument, it was or was not a breach.  So I thought this would be a good time to explain when a data breach occurs and also find out why so little has been said by Valve.

Was This a Breach?

If you go online and look up “definition of data breach,” you get this explanation from techtarget.com:

                “data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property.”

That is pretty straight forward, but now we have to figure out what Personally Identifiable Information (PII) is.  The International Association of Privacy Professionals defines PII, otherwise referred to as Personal Information, as follows:

“Personal information can include name, age, gender, street address, email address, social security number (national identity number) and/or telephone number. This information can exist in many forms (electronic or hard document as two examples) and may be managed or stored according to one or more general classifications.”  (Information Privacy Official Reference for the Certified Information Privacy Professional, pg 7)

Legally, the definition of PII varies depending on the jurisdiction.  Steam is one of the biggest virtual storefronts for videogames and other software.  It is used by individuals around the globe.  Some things that are generally considered PII were exposed by Valve; full names, credit card numbers, and digital identities (like a username) are all considered PII in most jurisdictions.  Now, that is not to say every jurisdiction includes those items, but most do, and that means a breach, as legally defined, occurred in those areas.  This is probably why Valve has been so quiet on the matter, only saying they fixed the root cause.

Have a Better Game Plan

The first step in dealing with a data breach is to determine whether it actually happened.  Then you are supposed to close off the source of the breach or “stop the bleeding”.  After that communication is the key to successful breach handling; communication with customers, employees, law enforcement, regulators, company stakeholders, and the media to name a few.

Valve and their privacy team are most likely (hopefully?) looking at what they need to do next, determining what parties need to be contacted, if any.  The issue here is that they have been quiet on the matter.  A lack of information can set your customers (and law enforcement or regulators) on edge, especially when the customers are a technologically involved group like gamers.  Gamers are much more prone to checking online news outlets already, searching for game reviews or previews, and these same sites will carry news about the Steam situation.

Overall, this is still a very recent event.  Taking place right before Christmas, there is still some time to come before this case is closed completely.  If anything, the online reactions to this breach when compared to other recent breaches does illustrate how being open and honest can build trust with customers or how that trust may be tainted.

Privacy is about trust, and without it, your customers may become anxious about allowing you to handle their information.  Having a strong breach plan, knowing what information to share, and where and when to share it can keep your company on top in the event of a privacy event.

Privacy Ref provides consulting and assessment services to build and improve organizational privacy programs. For more information call Privacy Ref at (888) 470-1528 or email us at info@privacyref.com

Posted on January 4, 2016 by Ben Siegel


« »

No Responses

Comments are closed.


« »

Subscribe to our mailing list

Please fill out the form below.

Required

Want to find out more?

Simply go to the contact page, fill out the form, and someone from Privacy Ref will be in touch with you. You can also send an email to info@privacyref.com or call (888) 470-1528.

News

February 8, 2017

New On-Line Class Offering
Learn more about privacy program fundamentals with Bob Siegel and Privacy Ref. Find out more about this offering on our On-Line Classes Page.

Latest Blog Posts

January 17, 2017

Your Privacy Resolution
A new year usually means setting a goal to remodel that extra bedroom, cut out caffeine, or finally hit the gym for 30 minutes a day.  This year you have an even greater goal in mind, the improvement of your privacy program.  Here are some great ways to start you on your way to achieving just that. Continue reading this post...

Happy Data Privacy Day
(Note, this post first appeared in the Operational Privacy blog on CIO.com) Data Privacy Day (DPD), held every January 28 and coordinated by the National Cyber Security Alliance (NCSA), is an international effort highlighting “Respecting Privacy, Safeguarding Data and Enabling Trust." DPD provides an opportunity for you to re-enforce these themes within your organization to improve privacy awareness. The result is that you will increase your customer’s trust in your organization while reducing costs and liabilities due to human error while handling personal information. [Disclosure: My company, Privacy Ref Inc., is a sponsor of Data Privacy Day.] Continue reading this post...

Other Recent Posts

PRIVACY REF