Every good relationship is built on trust. But in a world of external threats like cyber attacks and internal problems like employee negligence, trust has gone the way of dial-up Internet.
In fact, Forrester Research advocates a Zero Trust Model—verify and never trust. “Zero Trust takes into account the possibility of threats coming from internal as well as external sources and protects the organization from both types of threats,” Forrester noted.
With threats coming from every direction, organizations face serious breach risks, such as regulatory fines, lawsuits, lost business, and reputational harm. In addition, customers, patients, and employees affected by the exposure of their 
sensitive information fall prey to identity theft and other forms of fraud.
To mitigate these risks and prove compliance, companies must develop a robust incident response process, especially incident risk assessment.
Assessments Unlock the Door to Compliance
As we’ve discussed before, an incident is not the same as a breach. Indeed, only a small percentage of security or privacy incidents escalate to breaches, but the law requires that you make a breach determination for every incident your organization faces. In other words, you must document and perform an incident risk assessment. Every time.
The assessment will tell you if an incident meets the legal definition of a data breach under state and federal data breach notification laws. Data breaches require notification to the affected individuals, regulatory agencies, and sometimes credit reporting agencies, the media, and beyond. Additionally, contractual obligations require notice to business associates if the incident affected clients’ employees or customers.
Be prepared to do a lot of assessments. The Verizon 2016 Data Breach Investigations Report reported on 64,000-plus incidents, and IBM found 64 percent more security incidents in 2015 than in 2014.
As overwhelming as the statistics are, don’t speed through the assessment process. Remember that your organization has the burden of proof to document and perform an incident risk assessment to demonstrate compliance. Otherwise, you could face penalties and corrective action plans from regulators.
Crack the Combination: Inside the Incident Risk Assessment Process
At its core, an assessment examines the factors of an incident against a backdrop of applicable breach notification laws and jurisdictions to see if the incident reaches breach status. Some factors include:
- The source of the incident: cyber attack, insider threat, employee negligence, etc.
- The level and risk of exposure
- The nature of the personal data potentially exposed, and whether any protections (such as encryption) were in place
- The number of potentially impacted customers, patients, or employees
- Remediation steps taken to contain the incident and limit exposure risks
- Whether the event is ongoing or static
- Malicious/non-malicious
In addition to these factors, you must consider breach notification laws, which are a maze of growing complexity and ambiguity. There are 51 state and territory breach notification laws, each have different definitions of personal information, allow varying exceptions, and have separate requirements regarding notification thresholds, content, and timing.
These laws are rapidly changing and getting increasingly stringent: 12 significant amendments to state breach notification laws have gone into effect in the past 17 months. Adding to the complexity are federal regulations and standards — HIPAA and GLBA to name two — as well as international laws and the long-awaited European Union’s General Data Protection Regulation (GDPR).
The Master Key to Compliance: “Operational” Incident Risk Assessment
The better your organization can manage its incident response process — particularly incident risk assessment — the better it can manage data breach risks and prove regulatory compliance.
You may be thinking this is easier said than done; the high volume of incidents, the unique circumstances of each incident, and the complexity of breach notification laws can make incident risk assessments feel like a daunting feat.
So instead of creating a new “key” for every incident risk assessment you’re required to perform, we recommend operationalizing the assessment process. That is, establish a consistent, repeatable process that incorporates best practices, is scalable, and takes into account the many factors of an incident and the ever-changing data breach regulatory landscape.
With this master key, you have the power to always unlock the door to compliance.
Related Reading: