Flags
Once the severity level has been defined, it can be accompanied by flags indicating certain elements of the breach that, although they do not affect a priori the scoring, they are important for the final assessment. For the purpose of the methodology, two flags have been considered:
Number of individuals breached exceeds 100. Data of an individual, breached in the context of a bigger incident, can potentially be more easily disclosed, whereas at the same time a high number of affected individuals influences the overall scale of the breach.
Data unintelligible. Unintelligibility (e.g. in the form of strong encryption and without key compromise) can substantially decrease the impact to individuals, since it highly decreases the possibility of unauthorized parties accessing the data.