This article is part of an ongoing IAPP Privacy Advisor series on privacy program metrics and benchmarking for incident response management. Find earlier installments of this series here.
When you experience an incident that involves regulated data, many questions come to mind. How was the data compromised? Has the incident been contained and risk mitigated? How sensitive was the compromised data? What is your organization’s role–covered entity or a third party? Is the incident a data breach? Considering these types of questions is a crucial part of any investigation, and critical to conducting a proper, compliant incident risk assessment to determine if you have a data breach that requires notification to regulators, affected individuals, or to your client organizations. Every incident involving regulated data must be assessed to evaluate the potential risk of harm to affected individuals, and based on your contractual data protection obligations and the process must be documented to meet your burden of proof obligation.
Compounding the complexity of data breach response is the challenge to comply with a patchwork of ever-changing data breach notification laws. In the United States this is particularly convoluted. This month saw Alabama and South Dakota joining the rest of the country by each enacting a data breach notification law, which means now all 50 US states regulate data breach notification - and each in a different way, with different requirements and timeframes in which to provide notification.
Knowing the challenges privacy professionals face in managing and risk assessing multi-jurisdictional privacy incidents on a state, federal, and even international level, we decided to dig into the RADAR metadata to learn more about the frequency of incidents that impact individuals across state lines and use this real-world data to address a common misconception around incident response management.
What the data reveals about multi-jurisdictional incidents
If you pay attention to the news, it would be easy to assume from the headlines that a typical data breach impacts the lives of individuals across multiple state lines. The large, attention-grabbing breaches seem to tell this story. But these breaches don’t accurately represent the majority of privacy and security incidents that occur every day.
By analyzing incident metadata from a two year span (2016-2017) across multiple industries, including healthcare and financial services, we found that up to 94% of incidents require risk assessment under a minimum of two breach notification rules–one federal and one state. This is largely due to the fact that the majority of daily incidents are not on a massive scale and involve unintentional incident involving a small number of records and that can often be adequately risk mitigated.
The chart at the top of this page shows a breakdown of incidents spanning multiple jurisdictions by category type. You’ll see that the vast majority of incidents involve residents of a single state. Electronic incidents, unsurprisingly, have a less steep drop off than paper or verbal/visual incidents, which would make sense: electronic data is more likely to house a greater number of records, and therefore a great number of jurisdictions.
Privacy professionals working towards compliance in the U.S. may think this is an oversimplification of their job. It would be foolish to discount the complexity of consistently risk scoring incidents under fewer jurisdictions. It still requires investigation, identification of the pertinent risk factors, and scoring the severity of the incident against the likelihood of harm to the individual. Consider, as well, that though many incidents only impact residents of a single jurisdiction (in addition to federal regulations, such as HIPAA and GLBA) an organization over the course of time will have to assess under multiple jurisdictions, so privacy professionals must always stay on top of ever-changing regulations.
This brings us to our second piece of metadata. When looking at that same two-year slice of information, we found that while most individual incidents involve few jurisdictions, over time an organization will experience incidents impacting individuals across many different jurisdictions. Think of it this way: You have an incident one day that compromises data for residents in California. The next day, you may experience a misplaced laptop containing sensitive data for residents of Washington and Oregon. This means that the privacy team over the course of its day could be required to know the ins and outs of multiple state (and applicable federal) data breach notification laws.
In fact, we found that on average, RADAR customers assess incidents impacting individuals in 21 states (alongside federal jurisdictions) over the course of a year.
Continue reading this IAPP Privacy Advisor Article to learn the jurisdictional challenges to compliance.
Previous articles in this series: