While on the subject of ENISA, it has published a suggested methodology for the severity ranking of personal data breaches.
Breaches in the context of the document include breaches of confidentiality, availability and integrity both accidentally and maliciously.
The proposed methodology calculates the severity as the multiplication of three factors:
- Data processing context (1.0-4.0)
- Ease of identification (0.0-1.0)
- Circumstances of the breach, the sum of
- Loss of confidentiality (0.0-1.0)
- Loss of integrity (0.0-1.0)
- Loss of availability (0.0-1.0)
- Malicious intent (0.0 or 0.50)
Some factors which seem to have an undue influence on reducing the calculated severity are if data is lost but there is no evidence of [illegal processing] misuse (very hard to know and easy to assume), and two flags whether the number of records lost was less than 100 (the number of individuals affected may be difficult to determine) and the data are unintelligible (encryption is often undermined by poor implementation or weak key management).
The calculated severity score is then used to determine one of four levels: low, medium, high and very high. The document includes examples for the data processing context (DPC), but none for the other two factors, nor overall example scenarios. It would seem that for a typical breach of personal data from something like a retailer, where some customer data is copied and subsequently published elsewhere would appear to be 3.0 (i.e. High). But accidental loss of an unencrypted laptop containing all the retailer's employee details including their medical and bank details in plain text would be 0.0 (i.e. Low) if there was no "evidence that illegal processing has occurred". This doesn't quite seem correct yet.
The announcement does state "it is planned to further develop the methodology with the aim to generate a final practical tool for a data breach severity assessment". While thus just an early draft, there is the implication this type of scoring system might be used to determine whether notification is required to the relevant competent authority, and whether the individuals affected need to be informed.
See also the related posts The Privacy Dividend and Business Case for Data Protection.