Systems and methods for managing multifaceted data incidents

US 10,331,904 B2
Filed: 10/17/2017
Issued: 06/25/2019
Est. Priority Date: 02/14/2012
Status: Active Grant

First Claim

Patent Images

1. A method for managing a data incident, comprising:

receiving, via a risk assessment server, in response to an occurrence of a multifaceted data incident, data incident data that comprises information corresponding to the multifaceted data incident, the multifaceted data incident further comprising intentional or unintentional compromise, disclosure or release of personal data or personally identifiable information to an untrusted or unauthorized environment, wherein the multifaceted data incident has a plurality of facets with each facet comprising any of unique and overlapping set of privacy data, and media type, and associated risk factors requiring facet specific incident risk assessment;

automatically generating, via the risk assessment server, a risk assessment and decision-support guidance whether the facet is reportable from a comparison of each of a plurality of privacy rules;

wherein the privacy rules define requirements associated with data incident notification obligations or a privacy related contractual obligation that comprise any of notification and mitigation obligations; and

providing, via the risk assessment server, the risk assessment to a display device that selectively couples with the risk assessment server;

wherein;

the risk assessment comprises a determination as to whether a number of unique or non-unique but overlapping individuals across the plurality of facets meet notification thresholds based on jurisdiction;

one or more of the plurality of facets comprises a single or multiple regulatory regions associated with one or more of the privacy rules;

one or more of the plurality of facets is associated with a collection of privacy data determined by a regulatory agency in one or more regulatory regions;

receiving data incident data comprises;

providing one or more data incident risk factor questions to the display device that elicit information corresponding to each facet of the data incident;

receiving responses to the one or more data incident risk factor questions; and

providing the responses to the display device; and

receiving confirmation of at least a portion of the responses; and

further comprising providing an alert to the display device when the comparison indicates that one or more of the plurality of facets of the data incident violates and triggers a notification obligation according to the privacy rules, further wherein a notification schedule comprises notification dates that are based upon a violated one of the privacy rules, along with notification requirements that describe information that is to be provided to a regulatory agency or to an affected individual whose personal data has been compromised, disclosed or released as a result of the data incident.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for managing a multifaceted data incident are provided herein. Example methods include receiving, via a risk assessment server, in response to an occurrence of the data incident, data incident data that including information corresponding to the data incident, wherein the data incident has a plurality of facets with each facet having any of unique and overlapping set of privacy data and media type and associated risk factors requiring facet specific incident risk assessment, automatically generating, via the risk assessment server, a risk assessment and decision-support guidance whether the facet is reportable, from a comparison of the facet to privacy rules, the privacy rules define requirements associated with data incident notification obligations, and providing, via the risk assessment server, the risk assessment to a display device that selectively couples with the risk assessment server.

171 Citations

View as Search Results

16 Claims

1. A method for managing a data incident, comprising:
- receiving, via a risk assessment server, in response to an occurrence of a multifaceted data incident, data incident data that comprises information corresponding to the multifaceted data incident, the multifaceted data incident further comprising intentional or unintentional compromise, disclosure or release of personal data or personally identifiable information to an untrusted or unauthorized environment, wherein the multifaceted data incident has a plurality of facets with each facet comprising any of unique and overlapping set of privacy data, and media type, and associated risk factors requiring facet specific incident risk assessment;
  
  automatically generating, via the risk assessment server, a risk assessment and decision-support guidance whether the facet is reportable from a comparison of each of a plurality of privacy rules;
  
  wherein the privacy rules define requirements associated with data incident notification obligations or a privacy related contractual obligation that comprise any of notification and mitigation obligations; and
  
  providing, via the risk assessment server, the risk assessment to a display device that selectively couples with the risk assessment server;
  
  wherein;
  
  the risk assessment comprises a determination as to whether a number of unique or non-unique but overlapping individuals across the plurality of facets meet notification thresholds based on jurisdiction;
  
  one or more of the plurality of facets comprises a single or multiple regulatory regions associated with one or more of the privacy rules;
  
  one or more of the plurality of facets is associated with a collection of privacy data determined by a regulatory agency in one or more regulatory regions;
  
  receiving data incident data comprises;
  
  providing one or more data incident risk factor questions to the display device that elicit information corresponding to each facet of the data incident;
  
  receiving responses to the one or more data incident risk factor questions; and
  
  providing the responses to the display device; and
  
  receiving confirmation of at least a portion of the responses; and
  
  further comprising providing an alert to the display device when the comparison indicates that one or more of the plurality of facets of the data incident violates and triggers a notification obligation according to the privacy rules, further wherein a notification schedule comprises notification dates that are based upon a violated one of the privacy rules, along with notification requirements that describe information that is to be provided to a regulatory agency or to an affected individual whose personal data has been compromised, disclosed or released as a result of the data incident.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method according to claim 1, further wherein each data incident comprises any of risk factors, the data incident data, and at least one jurisdiction.
  - 3. The method according to claim 1, wherein one or more of the plurality of facets is capable of being assessed independently of other ones of the plurality of facets.
  - 4. The method according to claim 3, wherein each of the plurality of facets comprises a complete set of privacy data.
  - 5. The method according to claim 1, wherein the privacy rules comprise at least one European General Data Privacy Regulation (GDPR) rule that governs privacy breaches relative to at least one of personal data, special categories of personal data, or combinations thereof.
  - 6. The method according to claim 1, wherein the risk assessment comprises a risk level that indicates a severity of the data incident relative to the privacy rules, and further wherein the risk level is associated with a color, wherein a hue of the color is associated with the severity of the data incident and a sensitivity of the data incident data as determined by the comparison.
  - 7. The method according to claim 1, wherein the privacy rules comprise a privacy related contractual obligations between two or more parties.
  - 8. The method according to claim 1, wherein the risk assessment defines one or more exceptions that apply to at least a portion of the data incident data based upon the comparison.
  - 9. The method according to claim 1, wherein the risk assessment comprises at least a portion of at least one European General Data Privacy Regulation (GDPR) rule.
  - 10. The method according to claim 1, further comprising generating a notification schedule when the comparison indicates that the data incident violates and triggers a notification obligation according to at least one European General Data Privacy Regulation (GDPR) rule.
  - 11. The method according to claim 1, further comprising receiving the information that is to be provided to a regulatory agency and storing the same in a content repository associated with the risk assessment server.
  - 12. The method according to claim 1, wherein the comparison includes modeling of the data incident data to the privacy rules to determine a severity and a data sensitivity of the data incident.
  - 13. The method according to claim 1, wherein the comparison comprises:
    - modeling the data incident data to determine severity and data sensitivity of the data incident by evaluating the data incident data relative to the privacy rules; and
      
      generating a risk assessment from the modeling.

14. A risk assessment server for managing a multifaceted data incident, the server comprising:
- a memory for storing executable instructions;
  
  a processor for executing the instructions;
  
  an input module stored in memory and executable by the processor to;
  
  receive in response to an occurrence of the multifaceted data incident, data incident data, the data incident data comprising information corresponding to the multifaceted data incident, the data incident further comprising intentional or unintentional compromise, disclosure or release of personal data, personally identifiable information, or protected health information to an untrusted or unauthorized environment, wherein the multifaceted data incident has a plurality of facets with each facet comprising any of unique set of privacy data, media type, and associated risk factors requiring facet specific incident risk assessment;
  
  a risk assessment generator stored in memory and executable by the processor to generate a risk assessment for each of the facets from a comparison of the data incident data to privacy rules;
  
  wherein the privacy rules define requirements associated with data incident notification laws or a privacy related contractual obligation that comprise any of notification and mitigation obligations; and
  
  a user interface module stored in memory and executable by the processorto provide the risk assessment to a display device that selectively couples with the risk assessment server;
  
  wherein;
  
  the risk assessment comprises a determination as to whether a number of unique or non-unique but overlapping individuals across the plurality of facets meet notification thresholds based on jurisdiction;
  
  one or more of the plurality of facets comprises a single or multiple regulatory regions associated with one or more of the privacy rules;
  
  one or more of the plurality of facets is associated with a collection of privacy data determined by a regulatory agency in one or more regulatory regions;
  
  receiving data incident data comprises;
  
  providing one or more data incident risk factor questions to the display device that elicit information corresponding to each facet of the data incident;
  
  receiving responses to the one or more data incident risk factor questions; and
  
  providing the responses to the display device; and
  
  receiving confirmation of at least a portion of the responses; and
  
  further comprising providing an alert to the display device when the comparison indicates that one or more of the plurality of facets of the data incident violates and triggers a notification obligation according to the privacy rules, further wherein a notification schedule comprises notification dates that are based upon a violated one of the privacy rules, along with notification requirements that describe information that is to be provided to a regulatory agency or to an affected individual whose personal data has been compromised, disclosed or released as a result of the data incident.
- View Dependent Claims (15, 16)
- - 15. The server according to claim 14, wherein the processor further executes the instructions to determine whether a number of unique or overlapping individuals across the plurality of facets meet notification thresholds based on jurisdiction.
  - 16. The server according to claim 14, wherein the risk assessment generator, for each of the plurality of facets further:
    - generates a risk assessment that comprises a risk level that indicates a severity of the data incident relative to at least one of at least one federal rule, at least one state rule, or at least one European General Data Privacy Regulation (GDPR) rule, and a privacy related contractual obligation, and any combinations thereof; and
      
      creates a notification that one or more exceptions apply to at least a portion of the data incident data based upon modeling.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Radar, LLC
Original Assignee
Radar, LLC
Inventors
Sher-Jan, Mahmood, Migliore, Andrew, Church, Nicholas J., DeAngelis, David John, Brown, Reno
Primary Examiner(s)
Zarrineh, Shahriar

Application Number

US15/786,538
Publication Number

US 20180039794A1
Time in Patent Office

616 Days
Field of Search

726 25
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/6245   Protecting personal data, e...

G16H 10/60   for patient-specific data, ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0407   wherein the identity of one...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04W 12/02   Protecting privacy or anony...

Systems and methods for managing multifaceted data incidents

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

171 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for managing multifaceted data incidents

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

171 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links