Is Your Security Incident a Data Breach? Uncle Sam & Regulators Want to Know


By Mahmood Sher-Jan
CEO and Founder of Radar, Inc.

As any privacy or compliance professional knows, sensitive customer information is constantly at risk for exposure. Cyber attacks, ransomware, spear phishing, malware, system and process failures, employee mistakes, lost or stolen devices—the list of threats goes on. Your organization’s data will be—or already has been—compromised.

The inevitability of incidents and data breaches is further compounded by the difficulty of compliance with complex and changing state and federal breach laws. Privacy and compliance teams are often reacting to incidents without the incident response framework and tools required to operationalize and implement an effective incident response management program and success metrics.

When establishing an effective privacy and incident management program, there are three crucial strands that must be woven into the culture and fabric of the program:

  1. An incident response framework built on up-to-date understanding of increasing regulatory complexity
  2. Technology to ensure consistency in incident risk assessment and breach determination
  3. Ongoing analysis of incident data to establish program metrics and give insights that allow you to continue to improve your program

Incident Response Framework: Built on Understanding Regulatory Complexity

No two incidents or data breach notification laws that govern them are alike. In the US, there are 47 states, the District of Columbia, and three territories that each have their own unique triggers, definitions, and requirements when it comes to assessing a data privacy or security incident and determining if the incident is a data breach requiring notification. For insurance carriers, states’ department of insurance bulletins also come into play. For most healthcare and financial institutions, federal (HIPAA and GLBA) breach notification laws pose yet additional and layered obligations. This creates a complicated landscape for privacy, security, and legal teams responsible for risk mitigation and regulatory compliance across multiple jurisdictions.

Keeping the incident response management process humming along requires a framework that promotes a culture privacy and is based on in-depth regulatory understanding and ongoing monitoring of increasingly complex and ever-changing regulations. The framework should provide for legal oversight while enabling efficient, consistent, and automated incident risk assessment for timely decision-making based on the established framework.

Incident Response Automation: Consistent and Defensible Decision-Making

The effectiveness of the incident response framework depends on how well it is operationalized using automation and best practices. Privacy and legal professionals need to use purpose-built software designed to help them easily implement their framework and to ensure on-going oversight. Such software can speed up the time and enhance the quality of the information needed when reporting the discovery of a new incident. More importantly, the software can help privacy and legal professionals keep up to date with regulatory changes and perform consistent multi-factor incident risk assessment for decision-making while meeting the organization’s regulatory and audit obligations.

The use of a highly manual and fragmented approach to tracking regulatory changes, reporting new incidents, and performing incident risk assessment is largely due to a lack of awareness of proven and emerging purpose-built privacy solutions. There’s a common misperception that incident response and in particular incident risk assessment can not be automated because no two incidents are alike. The fact that no two incidents are exactly alike is actually a good reason why software based incident profiling and risk quantification technologies are necessary to eliminate the subjectivity and inconsistency that is inherent in the manual approaches. These technologies have been used for years to reduce financial fraud and to improve data security and decision-making. Now more than ever they are needed for innovation in privacy solutions to help privacy and legal professionals successfully and cost effectively manage mounting regulatory complexities domestically and internationally. In fact, an effective incident response framework that ensures consistency and efficiency while producing the necessary management metrics can’t be implemented without purpose-built automation.

Key Performance Indicators: Critical to Insights and Improvement

Privacy is more than compliance, it’s a matter of trust. Without the trust of customers and business partners, organizations can’t thrive – or even survive. In our data-driven corporate culture, metrics are critical for privacy professionals working to develop and track key performance indicators, demonstrate the outcomes of their incident response framework, and effectively communicate to senior management.

It has been said that if you can’t measure something, you can’t improve it. Purpose-built automation allows for timely and efficient access to information for operational analysis and management purposes. Establishing a baseline for key performance indicators and associated measurements can mean the difference between success and failure, or at least the perception of success or failure. Here are just a few performance indicators and measurements to consider when transitioning from manual processes to automation:

  • Average time between incident discovery and reporting to privacy office, from incident creation to closure, or to perform a multi-factor risk assessment
  • Percentage of incidents requiring mandatory notification, contractual notification, or involving multiple jurisdictions
  • Frequency of missing notification due dates (regulatory & contractual)
  • Trends in incident volume by category (electronic, paper), incident type and number of records, or incident source (internal or 3rd party) & root cause

There are many more metrics that can be designed and tracked based on your organization’s focus and needs. Typically these metrics can serve operational needs, allow for management reporting, and ease communication. They will help provide objective evidence of the effectiveness of the current incident response framework and identify gaps and areas in need of improvement and resource allocation.

Purpose-built software solutions provide native capabilities to easily collect, track and measure these incident response management performance metrics

If you’re interested in exploring this topic further and learning more about RADAR, I will be joined by a panel of experts during the upcoming 2017 Compliance Institute on March 26, from 1:30 PM – 4:30 PM EST. “Is your Security Incident a Data Breach? Uncle Sam Wants to Know” includes the following panelists:

  • Patricia (PC) Shea, Partner, K&L Gates
  • Laura Merten, Chief Privacy Officer, Advocate Health Care
  • Asra Ali, Compliance and Risk Manager, HealthScape Advisors

Click here to learn more about session P18 at the 2017 Compliance Institute.

[clickToTweet tweet=”Is Your Security Incident a Data Breach? Uncle Sam & Regulators Want to Know” quote=”Is Your Security Incident a Data Breach? Uncle Sam & Regulators Want to Know” theme=”style3″]

Mahmood Sher-Jan, CHPC, CEO and Founder,  RADAR, Inc.

Mahmood is chief executive officer of RADAR Inc., the leading provider of incident response management and decision-support software. He has a 30-year career in developing risk and fraud management, security, compliance and data breach solutions. He is the inventor of RADAR incident response management software, and holder of 3 patents. RADAR is focused on easing the burden of incident risk assessment and simplifying compliance. This award-winning, innovative software as a service platform is used by Fortune 100 companies and organizations from heavily regulated industries, including financial services, insurance, and healthcare, to assess and respond to security and privacy incidents, reduce risk, and prove compliance with data breach laws. Learn more at


  1. Good points…thanks for posting.

    Other points to consider include that the “technology” used in risk assessments. I won’t go into detail but if people want to track me down at the CI…glad to discuss…is that technology can just as easily include or consist of paper based or e-based tools to include:
    – checklists
    – flow charts
    – tools that walk the risk assessment team through the steps of an assessment.

    When one considers that the majority of breaches (I know the BIG breaches get the headlines…but the every day ones are those that most of us deal with every day) are assessed by a team of one…it is good to know that the use of technology can add a nice element of flexibility in terms of what is used to conduct the assessment and take into account some of the case specifics of a particular incident.

Comments are closed.