By Mahmood Sher-Jan, CHPC, EVP and GM RADAR business unit, ID Experts
Like it or not, privacy and security incidents happen all the time, to businesses of all sizes. Electronic intrusions into a network. Lost or stolen laptops. Bank information posted to the wrong customer’s account. Discharge papers handed to the wrong patient.
In 2015, Verizon found that the 70 organizations surveyed experienced an average of 1,268 incidents per year, or 105 per month. Those are only electronic incidents (not paper), and the figure obviously varies greatly depending on the size and type of business and volume of transactions.
But whether a business is suffering a dozen or a hundred incidents a month, the challenge is the same: Every incident must be thoroughly and consistently assessed to determine if it crosses state and/or federal regulatory thresholds and must be reported as a data breach.
To be clear, the vast majority of incidents are mundane and do not have to be reported—only 2,122 of the 79,790 incidents in the Verizon report were confirmed data breaches. The problem is that, with so many incidents occurring every week and month, many businesses over-report or underreport data breaches. It’s easy to do, and the costs add up.
The high cost of over-reporting
Several of our business clients have told us that they routinely over-reported incidents. It’s a tempting thing to do: If you’re going to err, err on the side of going beyond minimum regulatory requirements, right?
The problem is that over-reporting elevates the level of concern your patients, customers, members, partners, and others may have about the security of your business. Can they really trust you to protect their privacy when you repeatedly notify them about data breaches, however minor they may be? Over time, you can do real damage to your reputation and your brand.
Another problem with over-reporting is that regulators receive reports on every data breach. They see the high volume that occurs with over-reporting, which invites scrutiny and audits that require a lot of time and can result in hefty fines.
The equally high costs of underreporting
Underreporting is no better. Businesses that lack a consistent risk assessment process may fail to report incidents as data breaches, even when such reporting is warranted. That can result in substantial regulatory fines and other penalties, as well as years of correction action plans (CAPs) and added scrutiny.
In addition, if underreporting is exposed to the public (whether by regulators, an employee, a business associate, or a competitor), the brand and business reputation are likely to suffer greatly.
Especially in these days of heightened public awareness and fear regarding data security and privacy, it can be a death knell for a business to be deemed unsecure or untrustworthy because it lacks a culture of compliance or makes a habit of brushing potential privacy and security issues under the carpet.
A better way forward
Over-reporting and underreporting do not typically occur because of business malfeasance. Rather, they are the result of ad-hoc and manual risk assessments that are inherently inconsistent, swayed by human faults and biases.
In fact, a 2014 Ponemon report found that lack of consistency was the most common complaint about current incident assessment processes. Inconsistency is a big problem, and a dangerous one because regulatory auditors demand it above almost all else.
To strike the right balance—reporting only the data breaches that need to be reported, in a timely fashion, using multi-factor risk assessments that are fully documented—businesses need to move beyond manual assessments. Decision trees and other manual decision-making methods simply cannot keep pace with the number of incidents and complexity of today’s changing regulations.
Using purpose-built incident response management software is a smarter alternative, ensuring consistency, saving time, and giving businesses confidence that they are reporting everything that is necessary, and nothing that isn’t.
[bctt tweet=”The High Cost of Underreporting—or Over-Reporting—Security Incidents @msherjan”]