This article is part of an ongoing series on privacy program metrics and benchmarking for incident response management, brought to you by Radar, Inc., a provider of purpose-built decision support software designed to guide users through a consistent, defensible process for incident management and risk assessment. Find earlier installments of this series here.

As the calendar year comes to a close, many of us in the privacy field find ourselves tending to year-end tasks, planning for the start of a fresh first quarter, and reflecting on the last 12 months of work. Year-end program statistics are gathered, budgets for the next year loom on the horizon, and measuring and demonstrating the efficacy of your compliance program to internal and external stakeholders becomes top of mind. In short, this is an excellent time to consider privacy program metrics.

In the spirit of this season of reflection, this installment of our benchmarking series will reexamine a few of our past benchmarking statistics, particularly diving deeper into the points that sparked interest at our 2017 Privacy.Security.Risk. session, “Let Your Data Do the Talking: Benchmarking Your Privacy Program.” If you’re interested in reviewing the data from this panel discussion, a PDF of the slides has been made available by the IAPP. Before we dive in, a few important definitions:

• Incident: An event pertaining to the potential unauthorized use or disclosure of regulated data, such as personally identifiable information (PII) or protected health information (PHI).
• Data breach: When an incident meets specific legal definitions per applicable breach regulations. These occurrences can require notification to the affected individuals, regulatory agencies, and sometimes credit reporting agencies or the media.
• Mandatory notification: When an organization is obligated to notify affected individuals and regulatory agencies based on conducting an incident risk-assessment and determining that the incident crosses the harm threshold as defined by applicable breach notification laws.
• Voluntary notification: When an organization’s incident risk assessment does not cross the risk of harm threshold or when the incident is exempt from notification, but the organization has elected to notify regardless, based on their culture of compliance.

Benchmarking stats: Rate of notifiable privacy-incidents remains flat

In our first article in this series, an analysis of metadata from data incidents revealed that only one in ten security or privacy incidents rise to the level of a breach requiring notification to regulatory agencies or affected individuals. This data point, reported in May 2017, took into account all incidents discovered in 2016 that were subject to state and federal data breach laws in the U.S.

We are now able to consider more recent incident metadata, for incidents discovered in 2017 up until September 30 of this year. This new data indicates that this statistic has held steady in the first nine months of this year. Of all incidents discovered in that time, 90.4 percent did not reach a threshold requiring notification after a compliant multi-factor risk assessment was performed. It is critical to point out that the presumption of breach standards, such as that under HIPAA, dictate that all incidents are presumed to be breaches requiring notification unless proven otherwise based on a consistent and documented risk assessment that takes into account appropriate risk-mitigation steps performed by the breached entity. Some organizations have a tendency to over-report incidents, thinking that erring on this “conservative” side is safer, but in reality it can damage your brand reputation and trust from consumers and partners and raise questions about your compliance with regulators. Over time, there is real damage done to brand and reputation.

Further breaking down the roughly one in ten incidents that are considered to be a data breach, we have discovered that while 9.6 percent  of all incidents are notifiable, only 8.7 percent require mandatory notification (considered a data breach by Radar users) and in a very small percentage of all incidents — 0.9 percent or roughly one in every ten data breaches — entities are voluntarily notifying affected individuals.

What does voluntarily notifiable mean? Voluntary notice may be given based on an organization’s culture of compliance when an incident risk-assessment does not clearly cross the risk of harm threshold or meet regulatory exceptions.

An example of a typical voluntary notification would go as follows: A paper-based incident (such as misdirected mail) with likelihood of adverse impact to the affected individuals may be exempt from notification under many state laws as a result of an incident risk assessment, but the organization, based on its own culture of compliance, may decide to notify those affected.

We’ve also seen, as reported previous benchmarking articles, that there is a tendency to voluntarily report an incident when the fault was with a third-party vendor. In fact, covered entities are six times more likely to voluntarily notify affected individuals when the incident is externally sourced and attributed to a third party.

Very few attacks are malicious in nature

The news cycle these days is filled with stories of less-than-reputable individuals or groups orchestrating attacks on organizations' data, causing a real fear of hacker, phishing, ransomware or point-of-sales attacks. The possibility of attacks on your organization may keep you up at night, but are you focusing on the right risk points?

According to Radar metadata, the majority of incidents that occur are due to unintentional, inadvertent actions, not malicious attacks or intent. Of all incidents from 2016 and through end of September of 2017, only 1 percent were considered malicious, 2.5 percent were considered intentional but not malicious, and the remaining 96.5 percent were unintentional and inadvertent.

This data shows that, while a fear of high-profile attacks can dominate news cycles, in reality, incidents occur most frequently due to things like process breakdowns and poor employee training.

Data breach volume trending down

To round out year-end metrics, a useful trend to monitor is the volume of data breaches over time. Radar metadata reveals a steady decline in the number of mandatory reportable incidents from January 2016 to the end of September 2017.

This trend is a gentle decline, so it will need to be monitored, though this reduction in data breaches could perhaps reflect improved security measures in the community, a broader practice of assessing every incident, or greater awareness of the multi-factor risk assessment process and what constitutes risk of harm, allowing more incidents to remain short of the threshold of breach. 

As you analyze your privacy program, it’s important to look ahead to what 2018 will bring. Long after we’ve all abandoned the gym and forgotten our personal New Year’s resolutions, our privacy programs will have to be hard at work. With the coming year also comes GDPR and its 72-hour notification requirement, numerous potential stateside changes to breach-notification regulations, and new and ever-vexing ways to test and attack our privacy programs.

That’s why I encourage my colleagues in the privacy field to commit to building a consistent baseline in incident measurement now by establishing a policy of assessing and recording every incident. Having established goals, performance indicators, and the ability to report the improvements and hard work of your team with objective numbers can be a real advantage in the year to come. Programs that assess every incident will also be better prepared to operationalize and deal with the looming GDPR breach notification requirements.

About the data used in this series: Radar ensures that the incident metadata we analyze is in compliance with the Radar privacy statement, terms of use, and customer agreements. The information extracted from the platform for purposes of statistical analysis is not identifiable to any customer or data subject.