Skip to main content

Calculating the severity of a data breach

UPDATED with new link to breach severity calculator. 

While at the 2019 IAPP Privacy. Security. Risk. conference, I was introduced
to the European Union Agency for Network and Information Security (ENISA)'s "Recommendations for a methodology of the assessment of severity of personal data breaches" in Liisa M. Thomas's Data Breach Bootcamp. The methodology allows you to calculate the severity of a data breach from the perspective of a data subject: what's the personal harm?

The methodology systematizes and standardizes the calculation “estimation of
the magnitude of potential impact on the individuals derived from the data
breach”. By answering a few questions about the breach, the methodology produces
a severity score:

  1. Low: Individuals either will not be affected or may
    encounter a few inconveniences, which they will overcome without any problem
    (time spent re-entering information, annoyances, irritations, etc.).
  2. Medium: Individuals may encounter significant
    inconveniences, which they will be able to overcome despite a few
    difficulties (extra costs, denial of access to business services, fear, lack
    of understanding, stress, minor physical ailments, etc.).
  3. High: Individuals may encounter significant
    consequences, which they should be able to overcome albeit with serious
    difficulties (misappropriation of funds, blacklisting by banks, property
    damage, loss of employment, subpoena, worsening of health, etc.).
  4. Very High: Individuals may encounter significant, or
    even irreversible, consequences, which they may not overcome (financial
    distress such as substantial debt or inability to work, long-term
    psychological or physical ailments, death, etc.).

I created a spreadsheet to calculate the score. I suggest using it anytime
you have a breach and add the score to your security or privacy incident log.
Having a standard way to measure harm can be helpful when determining if there
is a need to notify individuals or supervisory authorities.

You are free to download, use, modify, and share the spreadsheet. Please feel
free to offer suggestions for improvements:


  1. Hi there! This is such a great help, however, i'm having rouble with the formula that you have inserted for the CB score and the overall Severity scoring. I keep getting a notitication that the formula ins't working. Any way to work around this?

    1. Sorry - Missed your question! What error are you getting? You put numbers into cells C45, C48, C52, and C56 and get an error???

  2. This is pretty cool. Thanks for sharing Mike

    Is this 2013 document still the standard insofar as methodology? I just came across it today and it's pretty interesting.


Post a Comment

Popular posts from this blog

GDPR Gap Assessment template

UPDATED with new link to the Gap Assessment Template. It's hard to believe I'm still talking to companies who are only now getting started on GDPR compliance. In fact, Cisco's 2019 Data Privacy Benchmark Study found that only 59% of the 3,206 organizations they surveyed felt they were largely compliant. Nine percent had not even started their compliance work: There are other companies who are thinking to entering the EU market and they are starting down the path of understanding what is required from a GDPR perspective. If I were starting my GDPR compliance journey, the first thing I would do is a gap assessment. There are many outstanding gap assessment tools available, including: Data Protection Self Assessment ISACA-CMMI GDPR Assessment (requires ISACA membership) Nymity GDPR Readine

How to perform a Data Protection Impact Assessment

 (Updated! Originally published 2017 September 9) There is a ton of free material in the Internet describing the Data Privacy Impact Assessments (DPIA) process. Some fine examples include: UK ICO's " Conducting Privacy Impact Assessment- Code of Practice Article 29 Data Protection Working Party's " Guidelines on Data Protection Impact Assessment (DPIA) France's CNIL's PIA Manual 1 - Methodology (how to carry out a PIA) ; PIA Manual 2 - Tools (templates and knowledge bases) , and PIA Manual 3 - Good Practices When I actually tried to perform my first DPIA (also called "Data Protection Impact Assessments"), I struggled because the templates were not particularly intuitive. I searched for real-world examples of DPIAs...and found nothing. I looked for templates that were comprehensive and straightforward...and found none. Even the three different versions of a DPIA template I received from IT Governance as part of a GDPR class and a document