  Number of records stolen. The more records lost, the higher the cost of a data breach. Strong data
               classification methodologies are essential for cataloging and thus understanding what sensitive
               information is most vulnerable and, in turn, reducing the quantity of this information.
              Length of time to detect and contain a breach. The sooner a data breach can be identified and
               contained, the lower the costs.
              Management of detection and escalation costs. An organization’s ability to detect and escalate a data
               breach can be improved by investments in governance, risk management, and compliance (GRC)
               programs that establish an internal framework for satisfying governance requirements, evaluating
               risk across the enterprise, and tracking compliance with governance requirements.
              Management of post data breach costs. Insurance protection helps to mitigate and reduce the cost of
               a data breach, as does business continuity management (BCM). Conversely, notifying victims without
               knowing the full breadth of the breach increases post data breach costs, as does hiring consultants
               to assist with remediation. Expenditures to resolve lawsuits also increase post data breach costs.


            Personally identifiable information

            The Office of Management and Budget (OMB) Memorandum M-10-23, defines PII as “information that
            can be used to distinguish or trace an individual’s identity, either alone or when combined with other
            personal or identifying information that is linked or linkable to a specific individual. The definition of PII is
            not anchored to any single category of information or technology. Rather, it requires a case-by-case
            assessment of the specific risk that an individual can be identified. In performing this assessment, it is
            important for an agency to recognize that non-PII can become PII whenever additional information is
            made publicly available — in any medium and from any source — that, when combined with other
                                                                      32
            available information, could be used to identify an individual.”
            Linked information is any piece of personal information that can be used to identify an individual; it
            includes, but is not limited to, the following:

              Full name
              Home address
              Email address
              Social Security number
              Passport number
              Driver’s license number
              Credit card numbers
              Date of birth
              Telephone number
              Log in details

            Linkable information is personal information that, on its own, cannot necessarily be used to identify an
            individual, but could do so when linked with another piece of information. Some examples of linkable
            information:

              First or last name (if common)
              Country, state, city, postcode


            32
              See https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/memoranda_2010/m10-23.pdf,
            accessed July 23, 2019.


            © 2019 Association of International Certified Professional Accountants. All rights reserved.    1-28