This is the second article in a series on establishing program metrics and benchmarking your privacy incident-management program. By explanation: Radar provides purpose-built decision-support software designed to guide users through a consistent, defensible process for incident management and risk assessment. A significant volume of incidents involving regulated personal data is processed through the Radar platform, and that number grows every day. The Radar team conducts ongoing analysis of incident metadata to provide insights, benchmarking metrics and best practices to help organizations in their continuous efforts to ensure compliance with data breach regulations and best practices for preventing, monitoring and remediating incidents and associated risks.
In the last installment of this benchmarking series, we analyzed the percentage of privacy incidents that rise to the level of a data breach and require notification under various data breach laws. Our data revealed that fewer than 1 in 10 incidents rrequire notice when a proper multi-factor and multi-jurisdictional assessment is performed and that organizations with a strong culture of compliance will risk assess every incident. This key benchmark can be helpful in setting a standard to compare your organization’s internal metrics and establishing performance indicators moving forward.
Once armed with this knowledge, the next metric many organizations will want to establish involves risk mitigation. And this makes sense, assuming that if you have a clear vision of what has helped or hindered your organization’s privacy measures in the past, you will be able to continue with what works and identify existing gaps.
Radar’s incident metadata provides insights into the effectiveness and prevalence of various safeguards and risk mitigation steps. If you’re responsible for demonstrating your organization’s privacy compliance, you are likely already well aware of the value of strong contractual agreements with other parties who share or process your data as the potential penalties of lax contractual agreements can be severe. For example, in April 2017, U.S. Department of Health and Human Services reached a $31K settlement with The Center for Children’s Digestive Health in Illinois following an investigation by the HHS Office for Civil Rights when a business associate revealed that neither party could produce a signed agreement. Under the General Data Protection Regulation, established contract terms and monitoring will be required, and we are all too well aware of the looming May 2018 deadline and potential fines up to 20M euros or 4 percent of your global annual revenue for an entire conglomerate.
Below, we will explore the use of contractual agreements as effective administrative safeguards implemented by organizations with a strong culture of privacy.
Effective administrative safeguards: Regulatory regimes, contracts and shoring up business agreements
We know by law and best practice that an entity should have administrative safeguards in place with other parties with whom they have data sharing or processing agreements (whether they are considered clients, processors, service providers or business associates). Given that incidents involving unintentional misdirection of regulated data are far too common, there are two main categories of contractual safeguards that can provide much-needed relief:
-
Agreements that are put in place before an incident to impose data protection obligations;
-
Agreements executed after an incident providing assurance that the recipient has not and will not further use or disclose the data.
Radar incident metadata confirms the basis for this best practice. We found that an incident resulted in a breach requiring notice only 0.5 percent of the time when the unintended recipient of personal data was an entity directly regulated by data protection laws or a party subject to a current data protection agreement. This low breach rate was not significantly affected by whether a written attestation was signed by the recipient entity after an incident attesting that personal data would not be further used or disclosed.
By contrast, when no data protection obligation agreement was in place between the disclosing entity and the unintended and unregulated recipient entity, the breach rate rose to 13 percent. In such instances, the further contractual safeguard of a written attestation assuring no further use or disclosure was helpful, lowering the breach rate to 4 percent.
If you’re a privacy professional tasked with demonstrating that your organization remains compliant, shoring up the establishment and monitoring of your contractual data protection obligations should definitely be a key priority. An added benefit, beyond reduction in breach notifications, is that the agreements can save time and effort later on should you need to obtain written assurance post-incident to establish a burden of proof.
The bottom line is when a privacy department is asked to present the positive influence of its program, having clear internal metrics and benchmarking data to tell the story can be the most effective way to demonstrate the success and growing needs of a program. It is in our best interest as privacy professionals to forge ahead measuring our efforts, establishing goals and tracking key performance indicators.
About the data used in this series: Radar ensures that the incident metadata we analyze is in compliance with the Radar privacy statement, terms of use and customer agreements. The information extracted from the platform for purposes of statistical analysis is not identifiable to any customer or data subject.
photo credit: Visual Content Data Breach via photopin (license)