Three Surprising Facts about Privacy Incidents
- Paper-based incidents still account for 30% of all breaches
- Big or small, you must assess every incident
- Commonality among on-time notifications
Read more below.
In the oft-quoted words attributed to Lewis Carroll, “If you don’t know where you are going, any road will get you there.” While that whimsical advice might have sufficed for Carroll’s fictional Alice on her journey through Wonderland, it’s a not workable approach for running a privacy program. Privacy teams need to adjust course constantly, adapting to new laws and changing threats, using metrics and benchmarks to decide how to deploy limited resources for best results.
To help privacy professionals chart their course, RadarFirst has published The Privacy Incident Benchmark Report since 2018, using aggregated statistics from our intelligent incident response management platform. We review and analyze hundreds of thousands of automated multi-factor incident risk assessments, looking at incident causes, timelines, and outcomes. And it turns out that, besides providing useful benchmarks for privacy teams to measure against, this analysis yields some surprising facts that illustrate the value of a data-driven approach to privacy.
The Persistence of Paper
If you were to judge solely from the business press and news headlines, you might think that the “digital transformation” of business information is complete, and the biggest threat to these vast stores of digital data is from cyber-attacks. Not so. While paper-based incidents have decreased 13% since our first benchmark report in 2018, they still account for 30% of overall incident volume.
Despite the hype, many people still apply for accounts and file insurance claims on paper, and organizations are still managing medical, financial, and other records on paper. So physical security is still a privacy issue, from controlling access to paper records to retention and proper disposal.
In some ways, the persistence of paper is good news for privacy: think of the difficulty of stealing millions of paper-based records. That said, while digitization does make cyber-attacks possible, the biggest cause of privacy-related incidents is simple human error, which can happen with information in any form.
According to this year’s benchmark, 93% of incidents are caused by unintentional exposure of information, whether digital, on paper, audio, or visual.
Big or Small, You Must Assess Them All
For every breach that makes the news, there are many mundane incidents that don’t gather public interest because they involve just a few records or information that’s not high risk and doesn’t require notification. But as notification deadlines have shortened and new regulations have come into effect, there is always the temptation to err on the side of caution and notify, running the risk of over-reporting.
Remember that failing to assess the sensitivity of exposed data and the severity of each incident to determine the potential risk of harm–and thus your obligation to notify or not–is, in fact, noncompliance and can actually harm your business, opening you up to greater regulatory scrutiny, and eroding trust with your customers, patients, and partners–a potentially costly hit to your business.
An automated and consistent process for capturing every incident and performing an intelligent multi-factor risk assessment is a great way to avoid the risks of over-notification (or under-notification). Looking at the anonymized metadata from the Radar platform over the last few years, the level of notifiable incidents has stayed remarkably steady at less than 7%.
It’s encouraging that the expanded definitions of sensitive personal information in regulations such as GDPR and CCPA have not had a significant impact on the level of notifiable incidents, proof that an intelligent, automated, and consistent process is the key to staying compliant regardless of what new regulations–and their varying notification requirements–come your way.
We know these new definitions are reflected in the Radar platform, so they are being taken into account when incident risks are assessed. The privacy teams in the benchmark study are using up-to-date information to assess notification requirements, and notifiable incidents haven’t increased. In addition to leveraging the Radar platform, these organizations employ best practices and have a strong culture of compliance that includes protecting these larger sets of protected personal information.
The Growth of On-Time Notification
Another encouraging trend in the benchmark study is that, despite shorter notification deadlines, on-time notification among Radarusers is increasing. 2020 saw a 5% increase in on-time notification over 2019, which saw a 12% increase over 2018. In 2020, among Radar users, over 83% of notifications were on-time.
Interestingly, the percent of on-time notifications is about 90% if only one individual is affected but drops with the number of affected individuals until the affected populations are 10,000 or more, at which point it bounces back to near 80%. We can’t know from the data whether this reflects the statistical likelihood of successfully contacting large numbers of people, the practices of third-party notification services employed for large breaches, or both.
Also surprising: the percentage of on-time notification for paper-based breaches is highest (93.5%) and electronic-based is much lower (72.7%), perhaps because discovery for an electronic incident can be more complex and time-consuming, especially if the source of the breach is external (an on-time rate of 71.2% versus 88.56% for internally caused breaches).
Where are You Going?
Privacy professionals consistently tell us that each organization needs to choose its own unique set of metrics to track progress and identify developing risks and problem areas. But comparing against industry benchmarks can add another dimension to your evaluations. For example, cybersecurity is an obvious priority for most organizations, but are you doing enough to manage the risks of paper-based documents? Are inconsistencies or inefficiencies in the incident response process leading to over-reporting or late notification?
Whatever metrics you’re using, a data-driven approach to incident response will help your privacy team and management make good decisions about budgets, priorities, and resource allocation. Because, without all the facts, we can come to the wrong conclusions. For example, despite popular opinion, Lewis Carroll never said “If you don’t know where you’re going, any road will get you there.” But Henry Kissinger did say, “If you don’t know where you are going, every road will get you nowhere.” And that is a fact.
You might also be interested in:
Topics: Benchmarking Series