This article by Mahmood Sher-Jan is the third in a series of articles published with the IAPP Privacy Advisor, on the topic of establishing program metrics and benchmarking your privacy incident management program.
In previous installments of this series, we learned fewer than one in 10 privacy incidents rise to the level of a data breach requiring notification and the value of contractual agreements as effective administrative safeguards.
At RADAR we are afforded a unique vantage point, in which the product allows us visibility into big-picture trends and insights of not just the breaches that are reported, but the multitude of incidents.
And there is a big difference between those two designations. In this installment of the series, we decided to look into an issue that is becoming more widely reported as companies react to recent large-scale data breaches and make preparations for compliance with the GDPR: managing risk of incidents caused by third-party vendors.
The statistics on third-party breaches vary widely, and it’s clear that organizations have trust issues when it comes to third parties reliably notifying them when an incident or a breach occurs. A report from insurance company Beazley covering the first six months of 2017 indicates that accidental breaches caused by employee error or data breached while controlled by third party suppliers account for 30 percent of breaches overall. A survey by Soha Systems places the percentage of all data breaches linked directly or indirectly to third-party access at 63 percent. And yet another study, sponsored by BuckleySandler and Treliant Risk Advisors from the Ponemon Institute, indicates a lack of trust in third-party vendors to reliably notify your organization of a breach: 37 percent of respondents didn’t believe vendors would notify them of a data breach, and when that vendor is further removed (a fourth-party vendor or greater) that number grows to 73 percent.
While data around third-party breaches is a significant part of the story, understanding third-party incident data and how it fits is a critical aspect of seeing the big picture. Therefore we decided to explore third-party related incidents and related breach determinations by focusing on data controllers/covered entities, their rate of reporting incidents as breaches, and whether the source of an incident (caused internally vs. externally to the entity) had any significance.
Data driven insights about third-party sourced incidents
Diving into aggregated and anonymized metadata from RADAR, we analyzed a sample set of 10,000 incidents from the past year. We limited our sample to only include incidents where the role of the entity was a covered entity (or controller), or the entity had dual roles as both a covered entity and a service provider.
What we found was surprising. The vast majority of incidents tracked and documented by covered entities were internally sourced: 88.4 percent of all incidents, while only 11.6 percent of incidents tracked within the sample data set were sourced from external third parties. Since industry reports indicate that third-party entities are causing a significant portion of reported breaches, it would stand to reason that the overwhelming majority of incidents would be externally sourced as well.
Next, we decided to dig deeper into distinguishing insights about the two categories of reported incidents as they relate to breaches. Again, we were surprised to discover upon further analysis that the covered entities performing incident risk assessments categorize incidents as breaches at very similar rates in both incident categories. 19.0 percent of externally sourced incidents are categorized as breaches, while 20.6 percent of internally sourced incidents are categorized as breaches.
On closer look, we discovered that while these rates are relatively close, they diverge significantly when it comes to entities choosing to voluntarily report externally sourced incidents (7.3 percent) over internally sourced incidents (1.2 percent). Voluntary notice may be given based on an entity’s culture of compliance when an incident risk assessment does not cross the risk of harm threshold or meets regulatory exceptions.
This means that covered entities are six times more likely to voluntarily notify affected individuals when the incident is externally sourced and attributed to a third party.
What lessons can be learned from this exercise to take back to your privacy program?First, it is important to be able to see all incidents in a single dashboard, to be able to easily drill down into the data to learn where the incidents are coming from, how often incidents escalate to a breach, and if there any anomalies in your trends. These are all good questions your privacy program should be able to answer.