This article is part of an ongoing series on privacy program metrics and benchmarking for incident response management, brought to you by RADAR, Inc., a provider of purpose-built decision support software designed to guide users through a consistent, defensible process for incident management and risk assessment. Find earlier installments of this series here.

In today’s privacy landscape, it seems to be a daily occurrence that we see a large-scale data breach making headlines and causing c-suite executives, board-level stakeholders, and the general public to stop and pay attention to how organizations are using and protecting sensitive, regulated data.

These large-scale data breaches are certainly attention-grabbing, but in truth they are only the tip of the privacy and compliance iceberg. Large breaches impacting thousands if not millions of individuals tend to overshadow the more commonplace and everyday privacy incidents and data breaches, which also fall under the purview of privacy professionals to assess, make a breach determination, and follow up with corrective actions and required regulatory notification obligations.

For this month’s benchmarking article, we decided to shine light on the often overshadowed area of smaller privacy incidents and data breaches, with real-life statistics culled from aggregated and anonymized Radar incident metadata.

Radar incident metadata allows a unique lens into often undisclosed privacy information, giving insights into privacy incidents as well as data breaches that may not impact many individuals and thus not garner as much attention. For example, smaller-scale data breaches may go unreported to regulators in many states because their data breach notification law only requires notice to the state attorney general or other regulators if the breach impacts a certain number of individuals. Another example is the Health and Human Services breach portal (often referred to as the “Wall of Shame”), which only displays data breaches affecting 500 or more individuals. 

Diving into the metadata, we sought to answer the question: On average, how “big” are these incidents when it comes to the number of affected individuals?

Everyday incidents and data breaches: The smaller the disclosure, the more commonplace 

Upon analysis we found that, for both incidents and data breaches in the two-year span from 2016 to 2017, far and away the most common profile was an unauthorized disclosure of a single record, or one affected individual. In fact, over 80 percent of all incidents and data breaches impacted one individual’s record. And there is a general trend in the data: The greater the number of affected individuals per incident or breach, the less frequent those occurrences are. 

Here is where I warn you not to fall into the temptation to take this information as an excuse to rest on your laurels: just because most incidents involve a small number of affected individuals, does not mean your regulatory obligation is lifted. 

Once an incident happens, no matter if it’s impacting one record or one million, you are required to perform a multi-factor risk assessment to determine if there is risk of harm to an individual that would qualify that incident as a data breach and necessitate notification to that individual and regulators. And while these small-scale data breaches may not meet the threshold to require notification to state attorneys general, in all cases the threshold of notification to an individual or the federal regulators is one.

In fact, many states have regulations that have lowered the attorney general notification threshold to one record, as well. In New York and Indiana, for instance, notification must be provided to the state attorney general if any individual is notified, a one-to-one notification requirement.

Contending with a data breach involving one affected individual also doesn’t mean your compliance obligations are simple. The data breach could be multi-jurisdictional, requiring compliance with both the state and federal regulations. For each jurisdiction you must perform a multi-factor risk assessment and breach determination appropriate to that jurisdiction (which varies widely) and provide compliant notices as required.

Single-record incidents: Which is more common, paper or electronic?

When we break down the metadata to address category of incident — electronic, paper, or verbal/visual — we see some further distinction in the size of these occurrences. When it comes to small-scale incidents and data breaches (with only one affected individual) paper records are over two times more likely to be the culprit.

This makes sense. As we explored in a benchmarking article earlier this year, electronic incidents typically expose more records per incident, but paper incidents and data breaches are much more commonplace and typically involve a smaller number of affected individuals. 

This is also a good point at which to mention that paper incidents cannot be ignored. By volume alone, it is clear this is an important incident category, and it is often one that is most difficult to track. The most sophisticated electronic detection system won’t catch incidents involving paper records. And we’re seeing an increase in regulations around paper records. Currently nine states regulate paper incidents right alongside electronic, and under U.S. federal breach laws and the EU General Data Protection Regulation, there is no distinction between paper or electronic information when it comes to protecting personal data.

Great or small, you must assess them all

Beyond the number of affected individuals, you have a regulatory obligation to risk assess every incident. In order to meet your burden of proof, you must provide a consistent, defensible multi-factor risk assessment under HIPAA, GDPR, GLBA, and state regulations. This documented process is also critical in demonstrating good faith and compliance should your organization be audited by internal stakeholders or regulators. It’s also just a best practice. Assessing all incidents, small and large, reinforces a strong culture of compliance.

Gathering this data, and being able to identify trends within your own organization also means you will build an internal benchmarking program. If a privacy program is not sufficiently tracking every incident, they are missing out on a major source of data to track and analyze in order to continually reduce risk and improve their program.

Notifiable data breaches should be less common than incidents when an organization has a strong culture of detection, consistent risk assessment, risk mitigation and compliance. In fact, our metadata confirms that with sufficient risk mitigation and based on a compliant incident risk assessment, organizations can keep 80 percent of incidents below the notification threshold. This does not mean that fewer incidents is the only goal.

Don’t be afraid of a high volume of incidents. In fact, seeing a trend towards fewer reported incidents could actually be an indicator that you’re missing something. An increase in incidents is often considered a good sign, as it shows the positive impacts of training, an awareness of privacy concerns, and a healthy privacy program that can manage volume consistently and efficiently.

About the data used in this series: Privacy is important to us, and we take every measure to protect the data of our customers and of individuals. Radar, Inc. ensures that the incident metadata we analyze is in compliance with the Radar privacy statement, terms of use and customer agreements. The information extracted from the platform for purposes of statistical analysis is not identifiable to any customer or data subject.

photo credit: paul_appleyard via photopin