A 12-Step Program for Privacy Incident Response Planning
Any organization that collects protected information is inevitably going to have privacy-related incidents.
But what happens next is completely dependent on your organization’s commitment to incident response planning. Martin Gomberg, Senior Privacy Consultant at TrustArc, notes,
“Privacy-related incidents have unique characteristics not shared by other types of data security incidents. In a privacy-related incident the response is determined by both judgement and law, and the organization is under tremendous time pressure to notify authorities under duress and the threat of penalties.”
“Too often what follows an incident is simply a reaction, not a mature response process built to ensure the right outcome. And the difference between reaction and response is planning and preparation.”
The challenge is compounded by differing breach definitions and notification obligations in the complex web of state, national, and international regulations governing privacy. Organizations recognize the risks of noncompliance, yet, Gomberg shares, “too often what follows an incident is simply a reaction, not a mature response process built to ensure the right outcome. And the difference between reaction and response is planning and preparation.”
A mature program involves thorough incident response planning for all 10 stages of incident response:
Stage 1: Discovery (collect incident details)
Stage 2: Identify and investigate the incident, including cause, scope, and affected data
Stage 3: Regulatory research (decide whether, and in which jurisdictions, to notify regulators and affected individuals)
Stage 4: Third-party contractual obligations (evaluate upstream and downstream impacts of partnerships)
Stage 5: Team collaboration (involve all impacted teams)
Stage 6: Risk assessment (assess incident risks and the regulatory and contractual obligations that apply)
Stage 7: Breach decision (determine if the incident qualifies as a notifiable breach)
Stage 8: Remediation & notification (send and track delivery of notifications)
Stage 9: Prevention & analysis (analyze incident trends and results for continuous improvement of both data security and the incident response process itself)
Stage 10: Benchmarking (evaluate performance with industry peers)
Gomberg presented his recommendations in a recent webinar, Privacy Incident Response 101, with RadarFirst Solutions Engineering Director, Travis Cannon.
Their strategy for incident response planning that ensures all 10 stages are adequately covered can be viewed as a 12-step readiness program whose steps naturally fall into four areas: people, visibility, protection, and process.
First, the people have to be prepared to respond. This is an ongoing process and can be tuned based on findings from the analysis phase of incident response.
Step 1: Educate the Board and leadership teams on the importance of compliance and the requirements for effective incident response.
Step 2: Train staff on how to recognize a privacy-related incident and how to report incidents in a concise and timely way.
Step 3: Train the incident response team on policies, processes, and tools, and keep in a state of readiness.
In addition to the privacy and infosec team members, Gomberg recommends designating a representative of each functional area that collects sensitive information and then meeting with those representatives at least every 4–6 months to conduct tabletop exercises involving a variety of potential incident scenarios.
Next, the organization needs to gain visibility by building a clear picture of its assets and risks.
Gomberg says, “I advise companies all around the world, and you’d be amazed at the number of large, prominent companies that don’t know what data they collect. Now imagine you’re in a breach, and you know data has been taken, but you don’t know what, only where. It’s extremely difficult because you didn’t do the homework up front.”
Incident Response Planning: Preparing for the Incident
Step 4: Perform data inventories to determine what is collected and protected, where that data is kept, and in what forms (encrypted or unencrypted, identified or de-identified, etc.).
Step 5: Perform a risk assessment, based on their data and market landscape, to identify risks to the protected information.
Step 6: Perform a regulatory refresh to understand the network of state, federal, and global regulations that apply to their business.
The third aspect of readiness is protection for sensitive data. This is a technical effort, but Gomberg says that even organizations without a large IT staff can and should find a way to implement protection.
“A five-person law firm may not have the same resources or capacity to implement the same types of controls that a multi-national corporation might, yet they may still be collecting large amounts of highly confidential and privileged personal data, often from those same multi-nationals. So, whereas they may have a lot of data under their control, they may not necessarily have the sophistication of the technology. But they need to get in place the mechanisms that allow them to centralize their risk, detect, report, and notify. If your organization holds protected information, you need to do whatever you need to do.”
Step 7: Ensure good data security practices
- strong password policies
- timely installation of security patches from vendors
- security software on every PC
- security awareness training for all staff
With these basic measures in place, the organization can implement more sophisticated data security measures based on their risk assessment, resources, and budget.
Step 8: Incorporate monitoring solutions that detect unauthorized access or unusual system activity and provide early warnings of an incident in progress.
Step 9: Take proactive mitigation measures such as encryption or de-identification of sensitive information to help limit risks if data is exposed. This also helps work an organization’s favor if an incident or series of incidents triggers a regulatory investigation.
Finally, there is the foundation of a mature privacy incident response plan: consistency, speed, and accuracy through all phases of every privacy incident.
Your privacy incident response plan needs to:
- Arrive at notification decisions for all applicable jurisdictions worldwide in time to meet reporting deadlines.
- Provide evidence of a decision-making and notification process that is consistent and accurate enough to satisfy regulators.
To create a mature privacy program, an organization needs to include these things as part of its incident response plan:
Step 10: Establish clear procedures for incident response. Roles need to be clear, especially the coordination and division of responsibilities between the IT and privacy team members.
Step 11: Implement tools to automate as much of the process as possible. Automation brings efficiency and consistency to every phase. It can help the team meet tight notification deadlines in multiple jurisdictions while documenting the whole process for regulatory and reporting purposes; as well as minimize the work of keeping up with new regulations and regulatory trends.
Step 12: Regularly review reports on key metrics
- volume, type, and sources of incidents
- average interval between incident and reporting
- interval between incident reports and notification decisions
Reporting helps identify emerging risks and opportunities for improvement, and it can be helpful in justifying privacy budgets and investments to executive-level decision-makers.
Reporting helps identify emerging risks and opportunities for improvement
The battle is never done
While most 12-step programs are designed to fight addition, not privacy risk, there is one similarity: the battle is never done. Every step has to be practiced continuously, evaluated, and improved.
Building a mature incident response plan isn’t easy, but it has never been more imperative.
There have been more than 100 laws governing privacy and cyber enacted globally in the last 2 years alone, and we all know that the threats to data privacy are only growing. So, preparing for incident response will only become more challenging the longer your organization waits.