Skip to Content
Client Payment

Events In the News

The Ever-Evolving Definition of “Acquisition of Data”

on Tuesday, 26 August 2025 in Technology & Intellectual Property Update: Arianna C. Goldstein, Editor

Every state, several federal agencies, and even territories of the United States have data breach notification statutes. The definition of what constitutes a data breach usually involves the terms “access” or “acquisition” of data. The terms have distinct meaning, but the definition of “acquisition” has slowly changed with guidance and commentary to encompass additional and different interactions with data.

The definition of a data breach under Nebraska law is:

“the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by an individual or a commercial entity.”[1]

In addition to the data being computerized (which carries its own set of legal questions), the data must have been “acquired”.  The term “acquired” has been defined differently by different states and federal agencies, but the term has traditionally been understood to mean copying, moving, or exfiltration of data.  This understanding is demonstrated by asking AI what is commonly understood by the term “acquisition” of data, as the term is used in data breach statutes:

Westlaw AI[2]:

In summary, acquisition in the context of data breach notification laws refers to unauthorized access and obtaining of personal information…. 

ChatGPT[3]:

  • Access vs. Acquisition:
  • Access: Merely viewing or being able to view data.
  • Acquisition: Taking control or possession of the data, such as copying, downloading, transferring, or using it.
  • Examples of Acquisition:
  • Copying files from a company server during a cyberattack.
  • Downloading customer records without authorization.
  • Exfiltrating data via malware or phishing.

The definition of acquisition then requires access to data but also includes taking the data in some form. Indeed, this common understanding is reflected in state statutes such as the Alabama data breach notification statute under a risk analysis of such a taking:

(1) Indications that the information is in the physical possession and control of a person without valid authorization, such as a lost or stolen computer or other device containing information.

(2) Indications that the information has been downloaded or copied….[4]

Such language suggests the term “acquisition” is evaluated in terms of possession of the data such as in a lost device which is no longer in the possession of the owner, or a file that has been downloaded, moved, exfiltrated, or copied.

With respect to protected health information (“PHI”) under HIPAA, what constitutes acquisition was clarified in guidance from Health and Human Services Office for Civil Rights (”OCR”) regarding ransomware, which expanded the definition to include “control” of the data in a file:

A breach under the HIPAA Rules is defined as, “…the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.” See 45 C.F.R. 164.402.6

When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule[5] (emphasis added)

Under this OCR guidance, acquisition occurs when a file is encrypted and the entity has lost control of the data even if the data is not moved, copied, downloaded or exfiltrated. This guidance may be troublesome if the files were encrypted in a drive-by attack, where files were encrypted with malware, but the attackers may not have had access to the network. An acquisition has still occurred according to this guidance.  We note this guidance was met with much pushback from the industry as to whether it can be supported by the statute and regulations.

Adding to the confusion, the Federal Trade Commission (FTC) has weighed in on the issue with commentary in the final rule for data breach and notification requirements under the Graham Leech Biley Act (GLBA). In the comments to the final rule, the FTC noted:

The presumption is ‘‘intended to address the difficulty of determining whether access to data (i.e., the opportunity to view the data) did or did not lead to acquisition (i.e., the actual viewing or reading of the data).’’[6]

Thus, under FTC commentary, data has been “acquired” if it has been read or viewed. The FTC’s focus has now changed from possession of data (as happens when data has been moved, copied, downloaded, lost or exfiltrated), or control of the data (as happens when a file is encrypted in place), to viewing or reading of the data. It’s worth noting that “viewing or reading” was the original definition of “access”.

The definition of the term “acquired” will continue to evolve, but one thing is certain, each data breach will need to be evaluated on its own facts and circumstances to make a determination as to whether an “acquisition” has occurred under the relevant laws applicable to the data holder.

Robert L. Kardell

[1] Neb. Rev. Stat. 87-802

[2] The prompt submitted to Westlaw AI was “definition of acquisition as the term is used in data breach notification laws”.

[3] The prompt submitted to ChatGPT of “common understanding of the term acquisition of data as the term acquisition is used in data breach statutes”.

[4] https://www.alabamaag.gov/wp-content/uploads/2023/08/Act-2018-396.pdf

[5] https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/ransomware-fact-sheet/index.html

[6] Federal Register /Vol. 88, No. 217 /Monday, November 13, 2023 /Rules and Regulations p. 77503.

back

1700 Farnam Street | Suite 1500 | Omaha, NE 68102 | 402.344.0500

Law Firm Website Design