GO BACK TO METRICS

Percentage of Breaches Involving Personally Identifiable Information

REFERENCE
S3.2.1
CATEGORY
Data Security
METRIC
Percentage of Breaches Involving Personally Identifiable Information
UNIT
Percentage

Definition

This metric tracks the percentage of data breaches occurring in the last calendar year that involve personally identifiable information where the company notified the user of the breach.

Expanded Definition

SASB defines a data breach as “the unauthorized movement or disclosure of sensitive information to a party, usually outside the organization, that is not authorized to have or see the information.”

SASB defines personal information as “any information about an individual that is maintained by an entity, including: (1) any information that can be used to distinguish or trace an individual’s identity, such as name, Social Security Number (US only), date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”

The European Union General Data Protection Regulation (GDPR) defines personal data as “any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data. Pseudonymous data can also fall under the definition if it’s relatively easy to ID someone from it.”

SASB clarifies the following points:

”The scope of disclosure shall include incidents in which encrypted data were acquired with an encryption key that was also acquired, as well as if there is a reasonable belief that encrypted data could be readily converted to plaintext.”

“The scope of disclosure is limited to breaches in which users were notified of the breach, either as required by law or voluntarily by the entity.”

“The entity may delay disclosure if a law enforcement agency has determined that notification impedes a criminal investigation or until the law enforcement agency determines that such notification does not compromise the investigation.”