No Harm, No Foul? Companies Need a Better Way to Assess Risk of Harm

In 40 states, data breach notification laws require companies to perform some type of risk of harm analysis to determine whether an incident triggers a breach notification to the individual. Assessing the risk of harm (i.e., whether the personal information has been compromised) is a significant part of the overall risk analysis of security incidents—and frankly, it’s an area in need of improvement.

Companies want to do right by consumers and avoid costly lawsuits, but many lack the tools, experience, or expertise to recognize whether the risk of harm threshold has been crossed. Instead, they make a judgment call, and that judgment can be based on flimsy evidence or a complete lack of evidence—because in some cases they haven’t even looked.

Theodore Augustinos, a partner at Locke Lord LLP, said companies use a wide range of methods to assess the risk of harm. “Some are very sophisticated and have highly developed internal and external strategies,” he said, “but other companies perform more primitive types of assessments, just looking at the types of data they have and the basic level of perceived threats and vulnerabilities.”

To perform more consistent assessments, privacy and security officials would be wise to go above and beyond state notification laws and rely on other well-established standards. For instance, the HITECH Act’s four-factor analysis assesses:

1. The nature and extent of the protected health information (PHI) involved
2. The identity of the unauthorized person who impermissibly used the PHI or to whom the impermissible disclosure was made
3. Whether the PHI was actually acquired or viewed, or whether only the opportunity to do so existed
4. The extent to which the risk to the PHI has been mitigated

Although it was obviously designed solely for healthcare entities, the four-factor analysis could put any company on more solid footing when it comes to determining whether their consumers are at risk.

And while we’re on the topic of healthcare, businesses of all kinds would be wise to include medical identity information in their risk analyses, even if their particular state law doesn't require it (and few do). If your company handles health information, include it as part of your risk analysis to protect consumers from one of the fastest-growing crimes in the world.

These steps mean more work for companies, which is why it’s also important to seek out the best tools available to help you assess the risk of harm.

Augustinos said that when companies struggle with their risk of harm analyses, “We encourage them, either through their internal security and IT people or through outside consultants, to assess the tools that are available in the marketplace. The better their tools, the more efficient, effective, and accurate they can be with their assessments.”

ID Experts’ RADAR® is one such tool for you to perform a more thorough analysis of risk, and as Augustinos said, there are other tools in the marketplace. A comprehensive incident response comparison guide is available here.

What’s most important is to improve your risk of harm analyses—because doing the minimum to meet state requirements may not be sufficient to do the right thing by your consumers.