This is the first article in a series on establishing program metrics and benchmarking your privacy incident management program. Radar provides purpose-built software designed to guide users through a consistent, defensible process for incident management and risk assessment. A significant volume of incidents involving regulated personal data is processed through the Radar platform, and that number grows every day. In this series, the Radar team will provide our analysis of incidents’ metadata in an effort to help privacy pros gain valuable insights, benchmarking metrics, and best practices to use at your organization in your continuous efforts in preventing, monitoring, and remediating incidents and associated risks.
Data breach. It’s a term that strikes fear in the heart of many a privacy professional. It’s also a term that is increasingly understood and taken seriously by C-suite executives, board-level stakeholders and even the average citizen, partly because, everywhere you turn, it seems that large-scale data breaches are making headlines. Reports and studies of data breaches abound, and while these reports help companies plan their security budgets, gauge risk and anticipate emerging trends in the types of vulnerabilities impacting their data, they are missing a key metric for benchmarking privacy programs.
Data breaches only tell part of the story about the health of your organization’s privacy program, ignoring the thousands of incidents that occur every day.
As the Global Privacy Officer at Radar, I am afforded a front-row view into how companies manage the incident-response life cycle. Our customers set the standard for a strong culture of compliance and commitment to data privacy best practices. In the process of working with them and seeing the way they manage incidents, trends emerge.
But what is an incident? How do you know when it is a data breach and requires notice? Understanding how to label privacy occurrences can determine which departments should be involved, what actions should be taken, if notification is required and when. And not every incident involving regulated data is a data breach by default. For instance, a ransomware attack such as the recent WannaCry event can in some cases be remediated if you are able to show there is low probability the data has been compromised, there is a low risk of the data being unavailable for use, etcetera.
A data breach is just the tip of the iceberg
Looking at incidents discovered in 2016 that were subject to state and federal data breach laws, 9.54% of incidents rose to the level of breach, as determined by the decision-support guidance provided by the Radar platform. This means that, on average, for every breach reported, at least 10 are security or privacy incidents that do not rise to the level of a breach requiring notification. This also suggests that, if a privacy program is not sufficiently tracking incidents, they are missing out on a major source of data to track, analyze and continually improve upon their program.
Digging into that figure — nearly one in 10 — it would be easy to look at this data and mistakenly assume it makes a case for more lax incident tracking and reporting. If only one in 10 incidents is a breach, what reason is there to be stringent in your reporting?
Presumption of breach: Every incident matters
The first reason to risk assess every incident is that there is a presumption of a breach by law that results in over notification without it. Meeting the burden of proof requires consistent and defensible risk assessment — see HIPAA sec. 164.402(2)(1), GDPR - Article 33(5), and the Interagency Guidance on Response Programs (GLBA) for just three examples. In the case of an audit, it is hard to credibly demonstrate care, good faith and compliance without incidents being properly logged and risk assessed. Assessing every incident, regardless of a “gut feeling” as to its severity, ensures that the decision and the process are defensible with regulators by providing a record of consistently measuring the appropriate risk factors in each assessment.
Our customers have told us they make sure that assessing every incident is part of their everyday practice in building a strong culture of compliance. By documenting and assessing every incident, every time, your organization will have complete documentation of each incident, as well as a record of every aspect of your decision as you conduct incident assessments, even for incidents that clearly fall outside of regulatory requirements. In addition, they find that including all incidents, small and large, reinforces an institutional habit that tends toward compliance by default, which is a goal for which any responsible institution strives.
You can’t see trends if you don’t track the data points
Performing a multi-factor risk assessment for every incident, regardless of its apparent severity during an investigation, ensures that your privacy program is consistent and defensible. It also helps alleviate the risk of over- or underreporting.
When looking at figures that indicate few incidents escalate to the status of a data breach, it is easy to overlook the wave of incidents occurring every week and month, which can result in over- or underreporting data breaches.
Risks of underreporting:
Missing notification requirements
Fines and penalties
Brand and reputational harm
Risks of overreporting:
Lose customer confidence
Heightened regulatory scrutiny
Brand and reputational harm
The perseverance of paper
An interesting contrast to this 9.54% figure is the popular Verizon Data Breach Investigation Report, which looks at the same time period and has a rate of 4.5% incidents escalating to a breach. This surfaces an important and often-overlooked category of incidents: non-electronic.
The Radar data set includes paper incidents and visual/verbal incidents, categories of an incident that may expose fewer records per incident than electronic incidents but are in reality much more commonplace — think of the frequency of misdirected mail or fax. Every day, there are small incidents involving just a few records, and every incident, including paper, must undergo a compliant multi-factor risk assessment to establish your burden of proof, particularly when deciding not to notify because you were able to properly mitigate the risk as permitted by law.
Privacy programs, private measures: The importance of sharing benchmarking metrics to establish industry standards
We privacy professionals often lack objective benchmarks against which to compare our own internal metrics or to begin to forecast what our departments’ resource requirements may be. When a privacy department is asked to present the findings of their program, having goals and performance indicators expressed in hard numbers can be a real advantage.
If you want to comment on this post, you need to login.