This article is part of an ongoing series on privacy program metrics and benchmarking for incident response management, brought to you by RADAR, Inc., a provider of purpose-built decision support software designed to guide users through a consistent, defensible process for incident management and risk assessment. Find earlier installments of this series here.
Have you noticed that every January you start seeing articles touting the previous year was the worst year on record for data breaches? It’s not just your imagination. This time last year, 2016 was cited as a “Record year for data breaches,” and 2017 has already earned the moniker “The year of the data breach,” but then again, so did 2015, 2014, and 2013. What’s more, most of these year-in-review articles warn that, while the previous year was bad, we should all brace for the year to come.
In part, these warnings ring true. If there’s something I’ve learned in my years in privacy, it’s that incidents involving private, protected information are inevitable, that concerns about these incidents will grow with each passing year and so will the volume of personal data collected and processed by entities globally. Pundits are predicting growth in the use of data through self-service IT and AI applications that I believe could further contribute to unauthorized uses and disclosures of personal data. Employee mistakes and process and system failures will continue to contribute to incident volume as in the past, along with malicious acts of insiders and external bad actors.
But how you manage these incidents, what risk mitigation factors you put in place, and whether you’ve performed a consistent and defensible multi-factor risk assessment of each incident to document your burden of proof can mean a world of difference in establishing a mature incident response compliance program and reducing risk for your 2018 incidents involving personal data.
The more things change, the more they stay the same
With this yearly warning of data breach reporting in mind, we decided to dig into our RADAR metadata to do an analysis of incidents discovered in 2017. The first number we analyzed was the percentage of incidents discovered in 2017 that rose to the level of a breach, once risk assessed. We found that 19 percent of all incidents were classified as notifiable in 2017. This number is consistent with the previous year.
Next, we analyzed the percentage of incidents that were classified as notifiable within each category (paper, electronic, or verbal/visual incidents).