Actifile’s Risk Portal displays risk as number of files, number of records and an estimated assessment of the monetary risk the data would pose if a data privacy incident were to happen.
One question we get asked quite often is about this $ value: “how do you calculate the risk?”.
The skepticisms about the assessed numbers are quite justified: Maybe they seem too high (evoking a “are you trying to scare me?” response) or maybe they are too low (is this risk “worth” addressing?).
The calulation of the assessment is simple: multiply the “number of records” found by the “value per record“:
About the “value per record”
The “value per record” is an estimation based on currently known “best numbers” averages gleaned from sources such as the big consulting agencies and privacy consultants/researchers, and which are derived from public and private sources for different data violations that occurred in the past. The numbers are normalized to the number of records lost in these incidents, and an average is then use to calculate a “value per record“.
It is important to understand that the numbers can only serve as a rough estimation.
Even regulators, which are the main body that levies fines and penalties, do little to dispell uncertaintly: As an example, HIPAA fines can be assessed to between $100-$50,000 per “violation”, depending if they are a HIPAA category 1 to 4 violations.
Furthermore, regulators are not the only expense when an incident happens. Forensics analysis is needed if you can’t show what happened and costs a pretty penny (upwards of $50k). A lawyer may be an unavoidable expense when trying to convince the regulator to drop (or at least lower) the fines and penalties. PR expenses to notify affected customers. Increased insurance costs. Etc.
It is customary for the “value per record” to be lower for rules that are single item based (e.g. CCN by itself) than when found in conjunction with additional supportive information (such as SSN). Thus ePHI which require records to be found (personal identifiers + medical diagnosis or procedural data) is of a higher value than a standalone SSN or CCN.
The value per record is set as part of the policy, and can be changed as needed by the MSP. See example below.