This article is part of an ongoing series on privacy program metrics and benchmarking for incident response management, brought to you by Radar, Inc., a provider of purpose-built decision support software designed to guide users through a consistent, defensible process for incident management and risk assessment. Find earlier installments of this series here.

When you experience an incident that involves regulated data, many questions come to mind. How was the data compromised? Has the incident been contained and risk mitigated? How sensitive was the compromised data? What is your organization’s role — covered entity or a third party? Is the incident a data breach? Considering these types of questions is a crucial part of any investigation and critical to conducting a proper, compliant incident risk assessment to determine if you have a data breach that requires notification to regulators, affected individuals, or to your client organizations. Every incident involving regulated data must be assessed to evaluate the potential risk of harm to affected individuals, and based on your contractual data protection obligations and the process must be documented to meet your burden of proof obligation.

Compounding the complexity of data breach response is the challenge to comply with a patchwork of ever-changing data breach notification laws. In the U.S., this is particularly convoluted. This month saw Alabama and South Dakota joining the rest of the country by each enacting a data breach notification law, which means now all 50 U.S. states regulate data breach notification, and each in a different way, with different requirements and time frames in which to provide notification.

Knowing the challenges privacy professionals face in managing and risk assessing multi-jurisdictional privacy incidents on a state, federal, and even international level, we decided to dig into the Radar metadata to learn more about the frequency of incidents that impact individuals across state lines and use this real-world data to address a common misconception around incident response management.

What the data reveals about multi-jurisdictional incidents  

If you pay attention to the news, it would be easy to assume from the headlines that a typical data breach impacts the lives of individuals across multiple state lines. The large, attention-grabbing breaches seem to tell this story. But these breaches don’t accurately represent the majority of privacy and security incidents that occur every day. 

By analyzing incident metadata from a two year span (2016-2017) across multiple industries, including health care and financial services, we found that up to 94 percent of incidents require risk assessment under a minimum of two breach notification rules, one federal and one state. This is largely due to the fact that the majority of daily incidents are not on a massive scale and involve unintentional incidents involving a small number of records and that can often be adequately risk mitigated.  

The chart below shows a breakdown of incidents spanning multiple jurisdictions by category type. You’ll see that the vast majority of incidents involve residents of a single state. Electronic incidents, unsurprisingly, have a less steep drop off than paper or verbal/visual incidents, which would make sense: Electronic data is more likely to house a greater number of records, and therefore a great number of jurisdictions.

Privacy professionals working towards compliance in the U.S. may think this is an oversimplification of their job. It would be foolish to discount the complexity of consistently risk scoring incidents under fewer jurisdictions. It still requires investigation, identification of the pertinent risk factors, and scoring the severity of the incident against the likelihood of harm to the individual. Consider, as well, that though many incidents only impact residents of a single jurisdiction (in addition to federal regulations, such as HIPAA and GLBA) an organization over the course of time will have to assess under multiple jurisdictions, so privacy professionals must always stay on top of ever-changing regulations.

This brings us to our second piece of metadata. When looking at that same two-year slice of information, we found that while most individual incidents involve few jurisdictions, over time an organization will experience incidents impacting individuals across many different jurisdictions. Think of it this way: You have an incident one day that compromises data for residents in California. The next day, you may experience a misplaced laptop containing sensitive data for residents of Washington and Oregon. This means that the privacy team over the course of its day could be required to know the ins and outs of multiple state (and applicable federal) data breach notification laws.

In fact, we found that on average, Radar customers assess incidents impacting individuals in 21 states (alongside federal jurisdictions) over the course of a year.

Jurisdictional challenges to compliance

No two state data breach notification laws are alike, and this creates a complicated landscape for privacy teams working to assess privacy incidents and remain compliant across multiple jurisdictions.

If you determine after a multi-factor risk assessment that your privacy incident is a multi-state data breach, you will be charged with providing notification across jurisdictions. Letters to affected individuals in one state will likely require different information than letters received by affected individuals in another. You may have 60 days under HIPAA to provide notice, but some states allow for only 45 or fewer days to notify affected individuals. And under the EU General Data Protection Regulation, you have 72 hours.

Some U.S. states also require notification be provided to the state attorney general and credit reporting agencies. Increasingly, we are seeing state attorneys general banding together for multi-state breach settlements — think of the $18.5M multistate settlement against Target, or how several state attorneys general have filed suit against Equifax and Uber for their largely publicized multi-state data breach.

The risk of noncompliance varies by state as well. Each state may issue different penalties per violation, per resident, or per series of violations. States may or may not enforce an injunction, allow private right of action, or enable enforcement penalties from the attorney general.

All of this variation and complexity leads to some very real consequences for organizations in heavily regulated industries in the U.S. According to the 2017 Ponemon Cost of Data Breach study, the U.S. has the highest notification costs in the world, which includes costs associated with keeping up with regulatory requirements. The IAPP Privacy Risk Study 2017 found that 51 percent of respondents indicated that achieving compliance with existing U.S. federal, state, and local laws and regulations is a threat to their to compliance with privacy laws, as is the introduction of new laws and legal standards.

So what are areas that can simplify this regulatory burden?

The first is a well-maintained resource for tracking changes in data breach laws, and referencing overviews of the intricate requirements for data breach notification in each state, federal, or international jurisdiction. If you’re a member of IAPP, you have access to the IAPP-RADAR Incident Response Center, which provides detailed overviews of data breach laws.

The second is to streamline your incident-response process, from timely incident intake and escalation to consistency in the risk assessment and scoring you use to determine if the incident is a data breach and requires notification to regulatory bodies and affected individuals. Streamlining the mechanics of incident response — how an incident is reported internally, what information must be recorded for a proper risk assessment, how you measure severity of the incident vs sensitivity of the data — creates efficiencies that help ensure you meet notification obligations, regardless of the number of jurisdictions involved.

About the data used in this series: Information extracted from Radar for purposes of statistical analysis is aggregated metadata that is not identifiable to any customer or data subject. Radar ensures that the incident metadata we analyze is in compliance with the Radar privacy statement, terms of use, and customer agreements.