This article by Mahmood Sher-Jan is the second in a series of articles published with the IAPP Privacy Advisor, on the topic of establishing program metrics and benchmarking your privacy incident management program.
In the last installment of this benchmarking series, we analyzed the percentage of privacy incidents that rise to the level of a data breach and require notification under various data breach laws. Our data revealed that fewer than one in 10 incidents requires notice when a proper multi-factor and multi-jurisdictional assessment is performed, and that organizations with a strong culture of compliance will risk assess every incident. This key benchmark can be helpful in setting a standard to compare your organization’s internal metrics and establishing performance indicators moving forward.
Once armed with this knowledge, the next metric many organizations will want to establish involves risk mitigation. And this makes sense, assuming that if you have a clear vision of what has helped or hindered your organization’s privacy measures in the past, you will be able to continue with what works and identify existing gaps.
RADAR's incident metadata provides insights into the effectiveness and prevalence of various safeguards and risk mitigation steps. If you’re responsible for demonstrating your organization’s privacy compliance, you are likely already well aware of the value of strong contractual agreements with other parties who share or process your data, as the potential penalties of lax contractual agreements can be severe. For example, in April of 2017, U.S. Department of Health and Human Services reached a $31K settlement with The Center for Children’s Digestive Health in Illinois following an investigation by the HHS Office for Civil Rights when a business associate revealed that neither party could produce a signed agreement. Under the General Data Protection Regulation, established contract terms and monitoring will be required, and we are all too well aware of the looming May 2018 deadline and potential fines up to 20M Euros or 4 percent of your global annual revenue for an entire conglomerate.
Below, we will explore the use of contractual agreements as effective administrative safeguards implemented by organizations with a strong culture of privacy.
Effective administrative safeguards: Regulatory regimes, contracts, and shoring up business agreements
We know by law and best practice that an entity should have administrative safeguards in place with other parties with whom they have data sharing or processing agreements (whether they are considered clients, processors, service providers, or business associates). Given that incidents involving unintentional misdirection of regulated data are far too common, there are two main categories of contractual safeguards that can provide much needed relief:
Agreements that are put in place before an incident to impose data protection obligations
Agreements executed after an incident providing assurance that the recipient has not and will not further use or disclose the data.
RADAR incident metadata confirms the basis for this best practice. We found that an incident resulted in a breach requiring notice only 0.5 percent of the time when the unintended recipient of personal data was an entity directly regulated by data protection laws or a party subject to a current data protection agreement. This low breach rate was not significantly affected by whether a written attestation was signed by the recipient entity after an incident attesting that personal data would not be further used or disclosed.