Benchmarking your privacy incident management program

This series provides an overview of establishing program metrics, benchmarking your privacy incident management program, best practices to use at your organization in your continuous efforts in preventing, monitoring, and remediating incidents and associated risks.

Series Overview

Why every incident matters
This article explains why organizations should evaluate all privacy incidents—not just breaches—as most incidents never meet breach thresholds, yet still provide critical program insights and help strengthen compliance through consistent, defensible risk assessment practices.
View article

Data protection is a team sport
This article highlights benchmarking data showing that fewer than one in ten incidents become notifiable breaches and emphasizes how strong administrative safeguards—especially robust vendor contracts—play a key role in risk mitigation and program maturity.
View article

Surprising stats on third-party vendor risk and breach likelihood
This article analyzes rising third‑party incident risks, revealing trust gaps in vendor breach reporting and noting that incidents sourced from external parties often behave differently and may carry higher risk than internal events.
View article

From incident to discovery to breach notification
This article examines average timelines across the incident‑response lifecycle—occurrence, discovery, assessment, and notification—and discusses how increasingly strict regulations like GDPR’s 72‑hour rule heighten the need for efficient, well‑documented processes.
View article

How does your privacy program measure up?
This article encourages privacy teams to reassess key program metrics annually, reviewing benchmarks such as notifiable-incident rates to demonstrate privacy program effectiveness and guide future improvements.
View article

Was 2017 the 'year of the breach?'
This article reviews 2017 incident data and finds that despite headlines dubbing it the “year of the breach,” notifiable incidents remained consistent year over year, underscoring the importance of rigorous risk assessment rather than media narratives.
View article

Benchmarking incidents involving regulated data as the GDPR looms
This article explores patterns in regulated‑data incidents and explains how varying definitions of personal data across U.S. laws complicate incident classification—an issue expected to intensify with GDPR’s broader applicability.
View article

The state(s) of privacy incidents
This article dispels assumptions that incidents typically affect multiple jurisdictions, showing instead that most incidents impact a small number of individuals but still require multi‑rule assessment due to overlapping state and federal laws.
View article

Benchmarking data reveals the human error in privacy incidents
This article demonstrates that human error accounts for more than 96% of privacy incidents, making inadvertent mistakes far more common than malicious acts and emphasizing the importance of training, processes, and controls.
View article