Data Breach concepts from Harshvardhan J. Pandit on 2023-03-27 (public-dpvcg@w3.org from March 2023)

From: Harshvardhan J. Pandit <me@harshp.com>
Date: Mon, 27 Mar 2023 12:55:52 +0100
To: "public-dpvcg@w3.org" <public-dpvcg@w3.org>
Message-ID: <a60456c3-6e97-6f04-f825-3cc35a5234cc@harshp.com>

Hi. The below set of concepts are based on analysis by myself and Georg, 
and what we have been discussing in the group so far.

- DataBreach (event)
- DataBreachRecord (org measure)
- DataBreachDetection (tech/org measure)
- DataBreachHandlingPolicy (org measure)
- DataBreachImpactAssessment (org measure)
- DBIAProcedure
- DBIAOutcome
- DBIAOutcomeDPANotification
- DBIAOutcomeDataSubjectNotification
- DBIAOutcomeHighRisk
- DataBreachDPANotification
- DataBreachDataSubjectNotification
- temporal properties
   * detection timestamp
   * occurence timestamp (or period)
   * notification timestamp (for DPA notification)
   * notification timestamp (for DS notification)
- hasJustification available for any comments/justifications, e.g. delay
   in reporting the notification to DPA
- Details of Breach
   * personal data affected - hasPersonalData
   * scale, frequency, severity - use contextual properties from DPV
   * same for data subjects, amount of data, processing etc.
- scope
   * can be personal data handling
   * can be specific databases or other technology systems
   * can be localised i.e. at a specific location
- Vulnerability
   * needs Thing --hasVulnerability--> Vulnerability
   * DataBreach --exploitedVulnerability--> Vulnerability
   * VulnerabilityMitigation
     + is RiskMitigation applied over a Vulnerability to "patch the data
       breach"
     + new property `hasVulnerabilityMitigation'
     + to add these to risk ???
   * this is tricky to model (should be practical + legally relevant)
   * there is work on attack surfaces / mitigations that we can map to
- Communicated By
   * processor to controller, processor to processor
   * controller/processor to DPA
   * controller to Data Subject
   * Data Subject to Controller / DPA
   * DataBreachProcessorNotification, DataBreachControllerNotification
   * Or, do we just have a Notification with sender/recipient?
   * timestamps same as earlier
- DataBreachInvestigation
- DataBreachInvestigationStatus
   * DataBreachInvestigationCompleted
   * DataBreachInvestigationOngoing
   * DataBreachInvestigationPreliminary
   * DataBreachInvestigationComplimentary
- Notification Status is effectively whether there is a timestamp
- Notification Communication Mechanism (e.g. emails, SMS)


-- 
---
Harshvardhan J. Pandit, Ph.D
Assistant Professor
ADAPT Centre, Dublin City University
https://harshp.com/

Received on Monday, 27 March 2023 11:56:12 UTC