This metric tracks how many unique users were impacted by data breaches in which the company notified all users whose personal data was compromised, as measured in the last calendar year.
SASB defines a data breach as “the unauthorized movement or disclosure of sensitive information to a party, usually outside the organization, that is not authorized to have or see the information.”
SASB defines personal information as “any information about an individual that is maintained by an entity, including: (1) any information that can be used to distinguish or trace an individual’s identity, such as name, Social Security Number (US only), date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”
The European Union General Data Protection Regulation (GDPR), defines personal data as “any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data. Pseudonymous data can also fall under the definition if it’s relatively easy to ID someone from it.”
SASB clarifies the following points:
”Accounts that the entity cannot verify as belonging to the same user shall be disclosed separately.”
”The scope of disclosure is limited to breaches in which users were notified of the breach, either as required by law or voluntarily by the entity.”
”The entity may delay disclosure if a law enforcement agency has determined that notification impedes a criminal investigation or until the law enforcement agency determines that such notification does not compromise the investigation.”