Series: Benchmarking your privacy incident management program

This series written for The Privacy Advisor by the team at Radar is about establishing program metrics and benchmarking your privacy incident management program. Radar provides purpose-built software designed to guide users through a consistent, defensible process for incident management and risk assessment. A significant volume of incidents involving regulated personal data is processed through the Radar platform, and that number grows every day. The Radar team will provide analysis of data incidents’ metadata in an effort to help privacy pros gain valuable insights, benchmarking metrics, and best practices to use at your organization in your continuous efforts in preventing, monitoring, and remediating incidents and associated risks. 

Beyond data breach: Why every incident matters

Alex Wall, CIPP/E, CIPP/US, CIPM

What is an incident? How do you know when it is a data breach and requires notice? Understanding how to label privacy occurrences can determine which departments should be involved, what actions should be taken, if notification is required and when.

Data protection is a team sport: Benchmark data tells the story

Mahmood Sher-Jan

Once armed with the knowledge from part one of this series, the next metric many organizations will want to establish involves risk mitigation. And this makes sense, assuming that if you have a clear vision of what has helped or hindered your organization’s privacy measures in the past, you will be able to continue with what works and identify existing gaps.

Surprising stats on third-party vendor risk and breach likelihood

Mahmood Sher-Jan

In this installment of the series, Sher-Jan explores an issue becoming more widely reported as companies react to recent large-scale data breaches and make preparations for compliance with the EU GDPR: managing the risk of incidents caused by third-party vendors.

From incident to discovery to breach notification: Average time frames

Mahmood Sher-Jan

In this installment of the series, Sher-Jan explores an issue becoming more widely reported as companies react to recent large-scale data breaches and make preparations for compliance with the EU GDPR: managing the risk of incidents caused by third-party vendors.

How does your privacy program measure up? New Year's resolutions

Alex Wall, CIPP/E, CIPP/US, CIPM

As the calendar year comes to a close, many of us in the privacy field find ourselves tending to year-end tasks, planning for the start of a fresh first quarter, and reflecting on the last 12 months of work. Year-end program statistics are gathered, budgets for the next year loom on the horizon, and measuring and demonstrating the efficacy of your compliance program to internal and external stakeholders becomes top of mind. In short, this is an excellent time to consider privacy program metrics. Alex Wall has some tips in this ongoing series on data-based benchmarking for The Privacy Advisor.

Was 2017 the 'year of the breach?'

Mahmood Sher-Jan

Have you noticed that every January you start seeing articles touting the previous year was the worst year on record for data breaches? 2016 was cited as a “record year for breaches,” and 2017 has already earned the moniker “the year of the breach,” but then again, so did 2015, 2014 and 2013. What’s worse, we’re told to brace for impact on what’s to come. In part, these warnings ring true. But how you manage future data breach incidents can mean a world of difference in establishing a mature incident-response compliance program and reducing risk, writes Radar's Mahmood Sher-Jan in this ongoing series for The Privacy Advisor.

Benchmarking incidents involving regulated data as the GDPR looms

Mahmood Sher-Jan

For this month’s installment of RADAR's privacy incident benchmarking series, CEO Mahmood Sher-Jan decided to look more closely at regulated data, and in particular examine any patterns that may emerge in privacy incidents and incidents that may require notification under breach notification regulations, considering the looming General Data Protection Regulation stands to turn breach notification on its head.

Benchmarking response: The state(s) of privacy incidents

Mahmood Sher-Jan

When you experience an incident that involves regulated data, many questions come to mind. How was the data compromised? Has the incident been contained and risk mitigated? How sensitive was the compromised data? What is your organization’s role — covered entity or a third party? Is the incident a data breach? Considering these types of questions is a crucial part of any investigation. Compounding the complexity of data breach response is the challenge to comply with a patchwork of ever-changing data breach notification laws. In this installment of an ongoing series on benchmarking data, Radar uses its researched metadata to learn more about the frequency of incidents that impact individuals across state lines to address a common misconception around incident response management.

Full disclosure: Benchmarking data reveals the human error in privacy incidents

Mahmood Sher-Jan

In a previous installment of this benchmarking series, we discussed the differences in incident classification when using intent as a filter. Was the incident resulting from intentional, malicious actions? Intentional, but not malicious? Or was the incident simply unintentional and inadvertent in nature? Classifying incidents and breaches by intent serves as an important factor in assessing the severity of the incident and how an organization will determine the potential risk of harm to affected individuals.

This month, we are returning to this topic to dig deeper into incident intent classifications and how they can be further broken down into specific scenarios.