As privacy grows in importance, so does the need for effective incident response management. Ideally, this includes consistent processes, well-established policies and procedures, collaboration across departments, and proof of compliance. The reality is often a lot different—and a lot more chaotic.
In a recent IAPP webinar, Nikole Davenport, senior manager of cyber risk services at Deloitte & Touche, described the experience of a client who was the victim of a phishing scam—an incident that caused severe internal turmoil. “They’d not faced something like this before,” she said, “and there was no policy…no metrics...no standard. IT had its own thought processes on the way it way supposed to be done from an IT perspective, but it stopped there. No one knew how to inform the executives; no one knew which executives to inform.”
The organization had no escalation process or “event quarterback” to take charge. ”There were multiple calls going on with multiple teams at the same time and [nobody was] necessarily sharing information,” she added. “That’s inefficient. That’s a time cost. That frays everybody’s nerves even more in a very highly sensitive situation.... It’s not repeatable; hopefully that is never repeated.”
The High Cost of Chaos
As the phishing incident so painfully illustrates, privacy teams can’t afford the costs of inefficient processes. Time spent manually researching laws, conducting risk assessments for breach determination, and creating board reports could be better spent on higher-value and mission-critical work, such as training or policy-making. Scaling the privacy program to meet growing business needs—such as GDPR compliance—without adding headcount is difficult.
Inefficiency also breeds subjective decision making, which leads to issues with noncompliance and the danger of over- or under-reporting. Longer lag times from incident discovery to providing notification increases the potential risk of fines.
Regulators such as GDPR enforcers have greater concerns than simply whether or not you correctly identified a notifiable breach. They want you to show a consistent process of how you got to the decision of whether to report or not. That’s difficult to do when each department—e.g., privacy, security, and legal—has its own process for assessing incidents, and no consistency in how each incident is assessed. This inconsistency makes it nearly impossible to get an overall view of risk in your organization and to obtain the critical metrics to demonstrate the value of your privacy program to the board—and thus generate a business case for funding.
Taming the Turmoil with Technology
Many privacy teams strive to meet these and other challenges by building an incident response solution in-house or by manually modifying existing systems. Developing and maintaining homegrown solutions requires significant investments of time and money, in addition to the continued burden of keeping current with changing laws.
GRCs, SIEMs, and ticketing systems can play a role within the incident response ecosystem, but they lack the automation and decision-support guidance privacy professionals rely on to determine if an incident rises to the level of a notifiable breach. They are unable to provide incident-specific information on if notification is required, who needs to be notified, how, and by when—all critical components to compliance with breach notification regulations.
Purpose-built software for managing incident response bridges the gap between reality and best-in-class, offering what other solutions lack:
Automation for consistent risk assessments, efficient reporting, escalation, and notification
Built-in guidance for breach determination based on the most current laws
Centralized repository for creating, managing, and storing notification letters, as well as other incident-related documentation to support your burden of proof
No two incidents are alike, but your processes for incident response management have to be consistent across the board. Only then can you reduce risk for your organization, cut costs, and create a solid foundation on which to build an effective privacy program.
Read the entire blog series here:
Challenge #1: Incident Detection and Escalation
Challenge #2: Ever-Changing Breach Notification Laws
Challenge #3: Lack of Budget
You can also learn more by downloading the free whitepaper: The 4 Challenges of Managing Incident Response.