This article by Alex Wall is the first in a series published with the IAPP Privacy Advisor, on the topic of establishing program metrics and benchmarking your privacy incident management program.
Data breach. It’s a term that strikes fear in the heart of many a privacy professional. It’s also a term that is increasingly understood and taken seriously by C-suite executives, board-level stakeholders, and even the average citizen, partly because everywhere you turn it seems that large scale data breaches are making headlines. Reports and studies of data breaches abound, and while these reports help companies plan their security budgets, gauge risk, and anticipate emerging trends in the types of vulnerabilities impacting their data, they are missing a key metric for benchmarking privacy programs.
Data breaches only tell part of the story about the health of your organization’s privacy program, ignoring the thousands of incidents that occur every day.
As the Global Privacy Officer at RADAR, I am afforded a front-row view into how companies manage the incident-response lifecycle. Our customers set the standard for a strong culture of compliance and commitment to data privacy best practices. In the process of working with them and seeing the way they manage incidents, trends emerge.
But what is an incident? How do you know when it is a data breach and requires notice? Understanding how to label privacy occurrences can determine what departments should be involved, what actions should be taken, if notification is required, and when. And not every incident involving regulated data is a data breach by default. For instance, a ransomware attack such as the recent WannaCry event can in some cases be remediated if you are able to show there is low probability the data has been compromised, there is low risk of the data being unavailable for use, etc.
A data breach is just the tip of the iceberg
Looking at incidents discovered in 2016 that were subject to state and federal data breach laws, 9.54% of incidents rose to the level of breach, as determined by the decision-support guidance provided by the RADAR platform. This means that on average, for every breach reported, at least ten are security or privacy incidents that do not rise to the level of a breach requiring notification. This also suggests that, if a privacy program is not sufficiently tracking incidents, they are missing out on a major source of data to track, analyze, and continually improve upon their program.