Systems and Methods for Managing Data Incidents

US 20170206376A1
Filed: 10/31/2016
Published: 07/20/2017
Est. Priority Date: 02/14/2012
Status: Active Grant

First Claim

Patent Images

1. A method for managing a data incident, comprising:

receiving, via a risk assessment server, in response to an occurrence of the data incident, data incident data that comprises information corresponding to the data incident, the data incident further comprising intentional or unintentional compromise, disclosure or release of personal data or personally identifiable information to an untrusted or unauthorized environment;

automatically generating, via the risk assessment server, a risk assessment and decision-support guidance whether the data incident is reportable from a comparison of the data incident data to privacy rules, the privacy rules comprising at least one European General Data Privacy Regulation (GDPR) rule, each rule defining requirements associated with data incident notification obligations; and

providing, via the risk assessment server, the risk assessment to a display device that selectively couples with the risk assessment server.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to some exemplary embodiments, the present technology is directed to methods for managing a data incident, including receiving, via a risk assessment server, in response to an occurrence of the data incident, data incident data that comprises information corresponding to the data incident, the data incident further comprising intentional or unintentional compromise, disclosure or release of personal data or personally identifiable information to an untrusted or unauthorized environment, automatically generating, via the risk assessment server, a risk assessment and decision-support guidance whether the data incident is reportable from a comparison of the data incident data to privacy rules, the privacy rules comprising at least one European General Data Privacy Regulation (GDPR) rule, each rule defining requirements associated with data incident notification obligations, and providing, via the risk assessment server, the risk assessment to a display device that selectively couples with the risk assessment server.

17 Citations

View as Search Results

22 Claims

1. A method for managing a data incident, comprising:
- receiving, via a risk assessment server, in response to an occurrence of the data incident, data incident data that comprises information corresponding to the data incident, the data incident further comprising intentional or unintentional compromise, disclosure or release of personal data or personally identifiable information to an untrusted or unauthorized environment;
  
  automatically generating, via the risk assessment server, a risk assessment and decision-support guidance whether the data incident is reportable from a comparison of the data incident data to privacy rules, the privacy rules comprising at least one European General Data Privacy Regulation (GDPR) rule, each rule defining requirements associated with data incident notification obligations; and
  
  providing, via the risk assessment server, the risk assessment to a display device that selectively couples with the risk assessment server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 20, 21)
- - 2. The method according to claim 1, wherein receiving data incident data comprises:
    - providing one or more data incident risk factor questions to the display device that elicit information corresponding to the data incident;
      
      receiving responses to the one or more data incident risk factor questions;
      
      providing the responses to the display device; and
      
      receiving confirmation of at least a portion of the responses.
  - 3. The method according to claim 1, wherein the at least one European General Data Privacy Regulation (GDPR) rule governs privacy breaches relative to at least one of personal data, special categories of personal data, or combinations thereof.
  - 4. The method according to claim 1, wherein the risk assessment comprises a risk level that indicates the severity of the data incident relative to the at least one European General Data Privacy Regulation (GDPR) rule.
  - 5. The method according to claim 4, wherein the risk level is associated with a color, wherein a hue of the color is associated with the severity of the data incident and a sensitivity of the data incident data as determined by the comparison.
  - 6. The method according to claim 1, wherein the risk assessment defines one or more exceptions that apply to at least a portion of the data incident data based upon the comparison.
  - 7. The method according to claim 1, wherein the risk assessment comprises at least a portion of the at least one European General Data Privacy Regulation (GDPR) rule.
  - 8. The method according to claim 1, further comprising generating a notification schedule when the comparison indicates that the data incident violates and triggers a notification obligation according to the at least one European General Data Privacy Regulation (GDPR) rule.
  - 9. The method according to claim 1, further comprising providing an alert to the display device when the comparison indicates that the data incident violates and triggers a notification obligation according to the at least one European General Data Privacy Regulation (GDPR) rule.
  - 10. The method according to claim 8, wherein the notification schedule comprises notification dates that are based upon a violated European General Data Privacy Regulation (GDPR) rule, along with notification requirements that describe information that is to be provided to a regulatory agency or to an affected individual whose personal data has been compromised, disclosed or released as a result of the data incident.
  - 11. The method according to claim 10, further comprising receiving the information that is to be provided to a regulatory agency and storing the same in a content repository associated with the risk assessment server.
  - 12. The method according to claim 1, wherein comparison includes modeling of the data incident data to the privacy rules to determine a severity and a data sensitivity of the data incident.
  - 13. The method according to claim 1, wherein comparing comprises:
    - modeling the data incident data to determine severity and data sensitivity of the data incident by evaluating the data incident data relative to the at least one European General Data Privacy Regulation (GDPR) rule; and
      
      generating a risk assessment from the modeling.
  - 20. The method according to claim 1, further comprising generating a risk assessment guidance interface when the comparison indicates that the data incident violates the at least one European General Data Privacy Regulation (GDPR) rule.
  - 21. The method according to claim 1, the privacy rules further comprising at least one Network and Information Security Directive (NISD) rule of a European Member State.

14. A risk assessment server for managing a data incident, the server comprising:
- a memory for storing executable instructions;
  
  a processor for executing the instructions;
  
  an input module stored in memory and executable by the processor to receive in response to an occurrence of the data incident, data incident data, the data incident data comprising information corresponding to the data incident, the data incident further comprising intentional or unintentional compromise, disclosure or release of personal data, personally identifiable information, or protected health information to an untrusted or unauthorized environment;
  
  a risk assessment generator stored in memory and executable by the processor to generate a risk assessment from a comparison of the data incident data to privacy rules, the privacy rules comprising at least one federal rule, at least one state rule, and at least one European General Data Privacy Regulation (GDPR) rule, each of the rules defining requirements associated with data incident notification laws; and
  
  a user interface module stored in memory and executable by the processor to provide the risk assessment to a display device that selectively couples with the risk assessment server.
- View Dependent Claims (15, 16, 17, 18, 19, 22)
- - 15. The server according to claim 14, wherein the input module further:
    - generates one or more questions to the display device that elicit data incident data corresponding to the data incident;
      
      receives responses to the one or more questions;
      
      generates a summary of responses to the one or more questions;
      
      provides the summary to the display device; and
      
      receives confirmation of the summary.
  - 16. The server according to claim 14, wherein the risk assessment generator generates a risk assessment that comprises a risk level that indicates the severity of the data incident relative to at least one of the at least one federal rule, the at least one state rule, or the at least one European General Data Privacy Regulation (GDPR) rule or combinations thereof.
  - 17. The server according to claim 14, wherein the risk assessment generator creates a notification that one or more exceptions apply to at least a portion of the data incident data based upon modeling.
  - 18. The server according to claim 14, further comprising a notification module that generates a notification schedule when modeling of the data incident indicates that the data incident violates and triggers a notification obligation according to any of the at least one federal rule, the at least one state rule, or the at least one European General Data Privacy Regulation (GDPR) rule, and wherein the notification module generates the notification schedule that comprises notification dates that are based upon a violated rule, along with notification requirements that describe information that is to be provided to a regulatory agency.
  - 19. The server according to claim 18, further comprising a reporting module stored in memory and executable by the processor to receive the information that is to be provided to the regulatory agency and an affected individual and stores the same in a content repository associated with the risk assessment server.
  - 22. The server according to claim 14, the privacy rules further comprising at least one rule under Canada'"'"'s Personal Information Protection and Electronic Documents Act (PIPEDA).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Radar, LLC
Original Assignee
Radar, Incorporated
Inventors
Sher-Jan, Mahmood

Granted Patent

US 10,204,238 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 21/60   Protecting data

G06F 21/6245   Protecting personal data, e...

G16H 10/60   for patient-specific data, ...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0407   wherein the identity of one...

H04L 63/1433   Vulnerability analysis

H04W 12/02   Protecting privacy or anony...

Systems and Methods for Managing Data Incidents

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

17 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and Methods for Managing Data Incidents

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links