Data incidents involve the exposure of sensitive information such as personally identifiable information and protected health information to third parties. Data incidents may comprise data breaches, privacy breaches, privacy or security incidents, and other similar events that result in the exposure of sensitive information to third parties. Some of these exposures may be subject to numerous state and federal statutes that delineate requirements that are to be imposed upon the party that was entrusted to protect the data. Personally identifiable information (hereinafter “PII”) and protected health information (PHI) which, regards healthcare related information for individuals that are maintained by a covered entity (e.g., an entity that has been entrusted with the PHI such as a hospital, clinic, health plan, and so forth), may include, but is not limited to, healthcare, financial, political, criminal justice, biological, location, and/or ethnicity information. For purposes of brevity, although each of these types of PII and PHI may have distinct nomenclature, all the aforementioned types information will be referred to herein as PII/PHI. In some embodiments, private contractual privacy obligations may exist between, for example, an employee and employer or between an employee or contractor and a government agency. These private contracts can also include breach mitigation or notification obligations, which can be risk assessed with the systems and methods disclosed herein.