While at the 2019 IAPP Privacy. Security. Risk. conference, I was introduced
to the European Union Agency for Network and Information Security (ENISA)'s "Recommendations for a methodology of the assessment of severity of personal data breaches" in Liisa M. Thomas's Data Breach Bootcamp. The methodology allows you to calculate the severity of a data breach from the perspective of a data subject: what's the personal harm?
The methodology systematizes and standardizes the calculation “estimation of
the magnitude of potential impact on the individuals derived from the data
breach”. By answering a few questions about the breach, the methodology produces
a severity score:
- Low: Individuals either will not be affected or may
encounter a few inconveniences, which they will overcome without any problem
(time spent re-entering information, annoyances, irritations, etc.).
- Medium: Individuals may encounter significant
inconveniences, which they will be able to overcome despite a few
difficulties (extra costs, denial of access to business services, fear, lack
of understanding, stress, minor physical ailments, etc.).
- High: Individuals may encounter significant
consequences, which they should be able to overcome albeit with serious
difficulties (misappropriation of funds, blacklisting by banks, property
damage, loss of employment, subpoena, worsening of health, etc.).
- Very High: Individuals may encounter significant, or
even irreversible, consequences, which they may not overcome (financial
distress such as substantial debt or inability to work, long-term
psychological or physical ailments, death, etc.).
I created a spreadsheet to calculate the score. I suggest using it anytime
you have a breach and add the score to your security or privacy incident log.
Having a standard way to measure harm can be helpful when determining if there
is a need to notify individuals or supervisory authorities.
You are free to download, use, modify, and share the spreadsheet. Please feel
free to offer suggestions for improvements: