Elements of a privacy breach assessment

  • Release version: Washingtondc
  • Updated February 26, 2024
  • 1 minute to read

    • A privacy breach assessment must clearly indicate the jurisdiction in which the breach occurred. This is crucial because each jurisdiction operates under distinct laws and regulations pertaining to privacy and data protection. It must also specify the personally identifiable information (PI) artifacts.

    PI Artifact

    PI artifacts typically refer to the physical or digital forms of personally identifiable information that may be lost or stolen. These artifacts can include verbal (spoken or recorded), visual (printed or displayed), electronic (stored on devices or systems), or paper-based (documents or records) forms of data that contain personal information. A PI artifact contains details such as the nature of the incident, the description of the compromise, the recipient's details, the risk mitigation plan, and so on. Each PI artifact collects data for a particular region and category. The following image shows the information that is collected using the PI artifact form.
    Figure 1. PI artifact form
    A picture of the PI artifacts form and the items it contains.
    A PI artifact consists of the following.
    • Data elements: Data elements are specific pieces of information that are part of a larger dataset. In the context of a breach incident, data elements refer to the specific types or categories of data that are impacted or compromised. Examples of data elements can include contact information (such as names, addresses, phone numbers, or email addresses), medical information (such as medical history, diagnoses, or treatment records), financial information (such as credit card numbers, bank account details, or transaction records), and so on.

      When a breach incident occurs, it is important to identify and assess which data elements have been affected or exposed. This helps in understanding the potential risks and impacts of the breach, as well as determining the appropriate response and mitigation measures to protect the affected individuals and their data.

      Figure 2. Data elements form
      A picture of the items on the data elements form such as personal, medical, and financial information.
    • Jurisdiction: To comply with the varying laws and regulations, it is necessary to identify the specific jurisdictions impacted during a breach assessment. Countries are typically divided into multiple states or regions, each governed by its own set of laws. For instance, within the United States of America, California is considered a jurisdiction with its own governing laws. Therefore, when a breach occurs in California, the applicable laws and regulations specific to California are applied. Jurisdictions also provide important details, such as the number of individuals impacted within that specific region.