Privacy and security incidents involving sensitive personal data are as individual as fingerprints. An incident involving misplaced paper records is vastly different from a large-scale cyber-attack affecting millions of people. Yet the organization with the paper incident and the organization with the cyber-attack are both subject to a complex web of global data breach notification laws—which could include GPDR, a mixture of U.S. federal / state regulations, and even unique demands under CCPA .
While the laws vary, there’s a definite concern when it comes to preventing fines for noncompliance and keeping up with shorter and more stringent breach notification timelines. To meet all their regulatory requirements, organizations need to adopt a proactive incident response program—one that allows them to handle the “everyday” incidents as well be prepared for the larger cybersecurity attacks that carry greater risk for fines, lawsuits, and business costs.
View Webinar >
Moving from Ad-Hoc to Well-Defined Incident Response
As Victoria Guilloit, a partner at Privacy Culture, and I discussed in a recent webinar how organizations with proactive incident response programs are always thinking ahead with a culture of collaboration.
- Anticipating what may happen during an incident and planning the exact steps to take.
- Identifying and reinforcing good working relationships with the “go-to” people in each functional department.
- Clarifying what each department’s role and responsibilities will be.
- Holding tabletop exercises with key stakeholders.
- Continual practice until the response process becomes “muscle memory.”
During audits, regulators expect to see a well-orchestrated incident response program. They’re looking for consistency in notification decisions that are objectively based on facts from breach regulations. What’s more, notifications must be timely and fast—for example, privacy teams only have 72 hours for breaches involving GDPR data subjects. And the decision to notify or not notify must be defensible, which means documenting the rationale behind the decision and making decisions in a consistent and objective way.
The 5 Steps of the Incident Response Lifecycle
The better that organizations understand the stages of the incident response lifecycle, the easier it is to identify ways to be more proactive and improve processes.
The five steps include:
- Identify and investigate. To gain visibility into all of the incidents that occur inside an organization, employees need a way to identify and report incident details through a single, centralized channel. Automated alerts escalate the incident to privacy and security teams for investigation. Working together, these departments can gather complete information about the cause of the incident and any mitigating factors. With this centralized process in place, employees can engage in practice sessions to learn when an incident has occurred and how to accurately report them.
- Assess. Using the information collected through identifying and investigating the incident, a privacy team runs a risk assessment to score the severity of the event. These risk factors include the number of people affected, the sensitivity of the data, and the nature and extent of the personal information exposed. It’s especially important to look at the risk mitigation efforts taken that may reduce the impact of an incident—such as controlling the sensitivity of the data. The more that an organization knows about these risk mitigation factors, the easier it will be to prove they have successfully mitigated risk and thus better defend their decisions. And, of course, the process must be consistent, repeatable, and defensible.
- Decide. The decision to notify or not is based on the results of the multi-factor risk assessment as well as the organization’s internal privacy policies. Organizations should document not only their decision but the rationale behind it—and consistently apply that rationale. This is the mark of a mature privacy program. If regulators can see that organizations have done so, the likelihood of significant fines and impact on the business goes down.
- Notify. Regulators want to make sure the right information and language are consistently provided in notifications. Templates for notification letters can provide that consistency, as long as the templates are adapted to meet each jurisdiction’s content requirements. Organizations should create a proactive plan for notification that meets all agency, jurisdictional, and contractual obligations—including the decision to handle notifications internally or outsource them.
- Analyze. With all the incident data captured in a central system, organizations are able to measure the health of their privacy programs with benchmarking dashboards and trend analysis. Privacy teams can better identify areas for both real-time and long-term improvement—and more easily get the budget for making those improvements. For example, if the data shows that a high percentage of incidents occur within a certain department, privacy can justify allocating extra training resources to those employees. The ROI becomes clear, as company leaders see how a strong privacy program improves their overall company’s risk posture.
Simplify Compliance with Automation
Privacy automation provides the consistency and efficiency that regulators are looking for by operationalizing incident response. With this technology, organizations can:
- Simplify incident escalation and details.
- Quickly assess whether an incident requires notification.
- Manage third-party data processing notification obligations.
- Monitor trends and measuring program metrics.
- Provide proof of compliance.