When the definition is unclear like this I would say companies tend to over-report what they're reasonably certain probably isn't a breach and under-report things in the grey area that probably are a breach.
We can be reasonably certain the regulators won't want to be bothered with every account statement misdelivery but they haven't specifically told us. Self-reporting this is low risk and demonstrates an effort at complying with the regulation. It also has the added "benefit" (from the corporation's perspective) of demonstrating to the regulator how onerous and unreasonable the compliance obligations will be for their office if they don't make an effort to set "reasonable" compliance and reporting standards (again, from the corporation's perspective).
But the contractor who "misplaced" the flashdrive of customer data? Well we haven't been told that's a breach because we don't know that it's "lost." It certainly feels like something a regulator would care about more than a misdelivered account statement but they haven't specifically told us they care about this scenario yet. That's a risky thing to self-report because there will probably be consequences and we have no idea what the consequences are because it hasn't come up for anyone else yet either. In that case it's low(er) risk not to report it and hang our hat on the ambiguity of the new regulation in the very unlikely event the regulator even gets wind of the breach. The strategy is to ask for forgiveness for our ignorance of the scope rather than clarification.
It's not right, but that's how it works.
Source: Corporate attorney/Former Chief Info Security Officer at an investment bank. I quit over their handling of a particularly egregious PII breach.
We can be reasonably certain the regulators won't want to be bothered with every account statement misdelivery but they haven't specifically told us. Self-reporting this is low risk and demonstrates an effort at complying with the regulation. It also has the added "benefit" (from the corporation's perspective) of demonstrating to the regulator how onerous and unreasonable the compliance obligations will be for their office if they don't make an effort to set "reasonable" compliance and reporting standards (again, from the corporation's perspective).
But the contractor who "misplaced" the flashdrive of customer data? Well we haven't been told that's a breach because we don't know that it's "lost." It certainly feels like something a regulator would care about more than a misdelivered account statement but they haven't specifically told us they care about this scenario yet. That's a risky thing to self-report because there will probably be consequences and we have no idea what the consequences are because it hasn't come up for anyone else yet either. In that case it's low(er) risk not to report it and hang our hat on the ambiguity of the new regulation in the very unlikely event the regulator even gets wind of the breach. The strategy is to ask for forgiveness for our ignorance of the scope rather than clarification.
It's not right, but that's how it works.
Source: Corporate attorney/Former Chief Info Security Officer at an investment bank. I quit over their handling of a particularly egregious PII breach.