This article is part of an ongoing IAPP Privacy Advisor series on privacy program metrics and benchmarking for incident response management. Find earlier installments of this series here.

The information we collect as a matter of doing business is growing. Think of the advances in technology and the proliferation of devices that constantly capture and store information — the Internet of things, smart home technology, wearable technology and medical devices. As the volume of information about individuals becomes more available, so too grows our challenge to accurately catalog and safeguard the data — and subsequently regulate the use of this information. They say that knowledge is power, and these days there is no greater power for companies than data.

In the privacy profession, we are of course laser-focused on personal information, the security and protection of that information, and the ways in which that information is regulated. In that light, for this month’s installment of the benchmarking series, we decided to look more closely at regulated data, and in particular examine any patterns that may emerge in privacy incidents and incidents that may require notification under breach notification regulations.

What constitutes personal data?

The data segment we examined for this article represents regulated entities subject to breach notification laws and regulations in the United States. This is important to note because what constitutes regulated data in the U.S. may differ from other regional regulations (more on that to come). In fact, what is considered regulated data within the U.S. may differ widely from state to state. For example, all U.S. breach notification laws regulate electronic personal information, but only a handful of state laws, insurance regulations, and federal laws such as HIPAA also regulate non-electronic personal information. When data breach notification laws were first enacted in the states, personal information was typically minimally defined as an individual’s name in combination with a Social Security number, driver’s license or state identification card number, or a financial account number combined with an access code or password. Changes to state and federal legislation in subsequent years have shown a trend towards significantly expanding the scope of personal information to include a wider set of data, such as taxpayer identification number, health care data and biometric information, or the answers to security questions that would permit access to an online account.

These laws are rapidly changing — for instance, on January 1 of this year, Maryland enacted a revision to their Personal Information Protection Act to specifically include health information, insurance policy or certificate number, and biometric data in their definition of personal information. And at least four states proposed regulations further expanding the scope of personal information in January of 2018 alone.

Benchmarking personal data elements

That brings us to looking at specific types of personal data and that type of data’s prevalence in incidents and notifiable incidents. Unsurprisingly, one of the most common types of information reported in RADAR, far and beyond any other type of personal information, was Name – which appeared in 91 percent of all incidents. This makes sense, as most regulations in the U.S. consider a breach of personal information to occur when name in combination with other points of data are disclosed. Closely aligning with a statistic from last month’s benchmarking article, incidents that included an affected individual’s name, once properly risk mitigated and assessed, were considered notifiable 19 percent of the time.

Also in the incident metadata, we began to see a trend emerge that information considered to be particularly sensitive was exposed less frequently — but when it was, it was considered notifiable at a greater rate.

Continue reading this IAPP Privacy Advisor Article to view specific benchmarking statistics and learn the challenges privacy professionals face under the GDPR.


Previous articles in this series: