Been Breached? How to Report Consumer Risk with a Risk Assessment

by Benjamin Wright / July 26th, 2018

Using a Risk Assessment to Report Consumer Risk

Because there are so many different laws that regulate how and when an organization must give notice if it has had a data security breach, understanding what the correct plan of action is for your organization or determining how to report consumer risk from breaches might be daunting. Nevertheless, the laws do have one major commonality: does the consumer suffer a significant risk of harm? Consider a Social Security number; if someone’s SSN was compromised, they’re at risk for true-name and account-takeover identity theft. This would be a significant risk of harm to that consumer. Or, for instance, let’s examine a patient whose medical records were compromised. What is the probability that patient would suffer some kind of embarrassment or identify left? The level of risk of harm may change based on the type of medical records, like a compromise of an HIV status versus dental records.

If an organization believes that a data security breach has occurred, they should try to remediate the problem at hand as soon as possible and report consumer risk. Conducting a risk assessment is a useful methodology used to identify, assess, and prioritize organizational risk and thus allows organizations to implement a plan of action quickly and efficiently. Risk assessments can be used for a variety of reasons such as locating gaps in security, understanding risks, evaluating how breaches occur, and remediating gaps and/or breaches.

Risk assessments also allow organizations to determine what the level of risk is relative to the final consumer – is it a significant or low risk? It’s also important to keep in mind the subjective nature of risk. We often use the example of a worn tire to better understand. When we just consider the tire, we can conclude that it is worn-out and in bad shape, and there is significant risk. However, when you picture the tire connected to a tire swing rather than on your car, the subjective nature changes and the tire is no longer a significant risk. This combination of factors is important to consider when you see an asset and then analyze how it is used. What if the rope holding the tire swing was frayed? Would that alter your opinion of the nature of risk? What if we implement a control here and position a group of people holding a rescue trampoline under the person on the tire swing with the frayed rope? Have we appropriately reduced the risk? Let’s complicate it more. Now, the rescue team with the trampoline is standing at the edge of a canyon. Does this change our opinion of significant risk once again?

When conducting a risk assessment, an organization needs to evaluate a wide range of factors with varying degrees of influence on the level of risk. You need all types of information about the data you’re trying to protect. Who has access to the data? What type of information was breached? How does it impact the consumer?

To learn more about how to use a risk assessment to report consumer risk, follow @BenjaminWright on Twitter. For more information about planning, conducting, and using a risk assessment, contact us today!

The many different laws that require an organization to give notice if it’s had a data security breach are complex – they don’t all say the same thing. A common topic in these laws is whether the ultimate consumer suffers some significant risk of harm. So, the consumer would be the holder of a credit card or the person whose Social Security number had been compromised. If an organization sees that it may have an incident that might be a security breach, oftentimes the organization is wise to conduct a risk assessment.

A risk assessment evaluates exactly what happened and what the risk of harm is – whether it’s a significant risk or a low risk – relative to the final consumer. Significant risk of harm is a subjective idea and, therefore, if the organization is conducting a risk assessment, it has to evaluate a wide range of factors that might be rather subjective. For example, what’s the possibility that the patient would actually suffer some kind of embarrassment or suffer some kind of identity theft if her medical record was compromised?

In order to learn more about the course that I teach at the SANS Institute, you can click the link below. Also, another link below provides more information about me and my work in private practice.