Any organization that collects protected information is inevitably going to have privacy-related incidents.
But what happens next is a choice, according to Martin Gomberg, Senior Privacy Consultant at TrustArc. “Privacy-related incidents have unique characteristics not shared by other types of data security incidents. In a privacy-related incident the response is determined by both judgement and law, and the organization is under tremendous time pressure to notify authorities under duress and the threat of penalties.”
The challenge is compounded by differing breach definitions and notification obligations in the complex web of state, national, and international regulations governing privacy. Organizations recognize the risks of noncompliance, yet, Gomberg notes, “too often what follows an incident is simply a reaction, not a mature response process built to ensure the right outcome. And the difference between reaction and response is planning and preparation.”
A mature privacy incident response process and privacy incident policy involves preparation for all five phases of incident response:
- Phase 1: Identify and investigate the incident, including cause, scope, and affected data
- Phase 2: Assess incident risks and the regulatory and contractual obligations that apply
- Phase 3: Decide whether, and in which jurisdictions, to notify regulators and affected individuals
- Phase 4: Send and track delivery of notifications
- Phase 5: Analyze incident trends and results for continuous improvement of both data security and the incident response process itself.
Gomberg presented his recommendations in a recent webinar, Privacy Incident Response 101, with RadarFirst Solutions Engineering Director, Travis Cannon.
Their strategy for building a mature incident response process that ensures all five phases are adequately covered can be viewed as a 12-step readiness program whose steps naturally fall into four areas: people, visibility, protection, and process.
First, the people have to be prepared to respond. This is an ongoing process, and can be tuned based on findings from the analysis phase of incident response.
Step 1: Educate the Board and leadership teams on the importance of compliance and the requirements for effective incident response.
Step 2: Train staff on how to recognize a privacy-related incident and how to report incidents in a concise and timely way.
Step 3: Train the incident response team on policies, processes, and tools, and kept in a state of readiness.
In addition to the privacy and infosec team members, Gomberg recommends designating a representative of each functional area that collects sensitive information, and then meeting with those representatives at least every 4–6 months to conduct tabletop exercises involving a variety of potential incident scenarios.
Next, the organization needs to gain visibility by building a clear picture of its assets and risks.
Gomberg says, “I advise companies all around the world, and you’d be amazed at the number of large, prominent companies that don’t know what data they collect. Now imagine you’re in a breach, and you know data has been taken, but you don’t know what, only where. It’s extremely difficult because you didn’t do the homework up front.”
To prepare for incident response:
Step 4: Perform data inventories to determine what is collected and protected, where that data is kept, and in what forms (encrypted or unencrypted, identified or de-identified, etc.).
Step 5: Perform a risk assessment, based on their data and market landscape, to identify risks to the protected information.
Step 6: Perform a regulatory refresh to understand the network of state, federal, and global regulations that apply to their business.
The third aspect of readiness is protection for sensitive data. This is a technical effort, but Gomberg says that even organizations without a large IT staff can and should find a way to implement protection.
“A five-person law firm may not have the same resources or capacity to implement the same types of controls that a multi-national corporation might, yet they may still be collecting large amounts of highly confidential and privileged personal data, often from those same multi-nationals. So, whereas they may have a lot of data under their control, they may not necessarily have the sophistication of the technology. But they need to get in place the mechanisms that allow them to centralize their risk, detect, report, and notify. If your organization holds protected information, you need to do whatever you need to do.”
Step 7: Ensure good data security practices
- strong password policies
- timely installation of security patches from vendors
- security software on every PC
- security awareness training for all staff.
With these basic measures in place, the organization can implement more sophisticated data security measures based on their risk assessment, resources, and budget.
Step 8: Incorporate monitoring solutions that detect unauthorized access or unusual system activity and provide early warnings of an incident in progress.
Step 9: Take proactive mitigation measures such as encryption or de-identification of sensitive information to help limit risks if data is exposed. This also helps work an organization’s favor if an incident or series of incidents triggers a regulatory investigation.
Finally, there is the foundation of a mature privacy incident response process: consistency, speed, and accuracy through all phases of every privacy incident.
The privacy incident response process needs to:
- Arrive at notification decisions for all applicable jurisdictions worldwide in time to meet reporting deadlines.
- Provide evidence of a decision-making and notification process that is consistent and accurate enough to satisfy regulators.
To create a mature incident response process, an organization needs to have these things in place:
Step 10: Establish clear procedures for incident response. Roles need to be clear, especially the coordination and division of responsibilities between the IT and privacy team members.
Step 11: Implement tools to automate as much of the process as possible. Automation brings efficiency and consistency to every phase. It can help the team meet tight notification deadlines in multiple jurisdictions, while documenting the whole process for regulatory and reporting purposes; as well as minimize the work of keeping up with new regulations and regulatory trends.
Step 12: Regularly review reports on key metrics
- volume, type, and sources of incidents
- average interval between incident and reporting
- interval between incident reports and notification decisions
Reporting helps identify emerging risks and opportunities for improvement, and it can be helpful in justifying privacy budgets and investments to executive-level decision-makers.
The Battle is Never Done
While most 12-step programs are designed to fight addition, not privacy risk, there is one similarity: the battle is never done. Every step has to be practiced continuously, evaluated, and improved.
Building a mature incident response capability isn’t easy, but it has never been more imperative.
There have been more than 100 laws governing privacy and cyber enacted globally in the last 2 years alone, and we all know that the threats to data privacy are only growing. So, preparing for incident response will only become more challenging the longer your organization waits.