Reduce Incident Response Timelines and Promote Organizational Awareness
As part of our exploration into the challenges to efficiency in privacy incident response, we’re diving into the first aspects of every privacy incident response management process, incident discovery, investigation, and escalation. With a solid understanding of these processes, we can better identify barriers to organizational inefficiency and help expedite notifications when they’re required for compliance.
Ultimately, the first step to reducing incident response timelines is benchmarking the effectiveness of your privacy program. With previous performance documented, your organization is able to effectively measure improvement. Once you have clearly defined metrics for said improvement, it’s time to identify where in your process you can streamline incident response workflows and that is where the fun begins.
The difficulty in identifying incidents can cause a significant delay from the time of occurrence to discovery—an average of 12 days, according to the BakerHostetler 2020 Data Security Incident Response Report.
Detection delays occur for various reasons. Sometimes an employee misunderstands what constitutes an “incident,” other times organizational training or detection systems are to blame. Whether the delay from detection to investigation lasts two hours or two weeks, it opens the organization up to risks, including the risk of non-compliance in the event breach notification is required.
Once an incident is discovered it needs to be investigated, profiled, and risk assessed to determine if notification is required. For the sake of exploring efficiency barriers to escalation, let’s consider a security incident that escalates to a privacy incident.
Investigation & Required Escalation
As defined by the U.S. Department of Homeland Security, a privacy incident is an adverse event that happened as a result of violating DHS’ privacy policies and procedures. To qualify as a “privacy incident” the occurrence must “pertain to the unauthorized use or disclosure” of any regulated data such as names, addresses, social security numbers, or any otherwise personal information (PI), or protected health information (PHI).
Privacy incidents can originate from phishing schemes or cyberattacks but similar to security incidents, also occur from human error such as mishandled documents, verbal and even visual disclosure of PI or PHI.
Regardless of the origin, breach notification laws obligate organizations to assess every incident equally through a multi-factor risk assessment. This is how organizations determine whether the incident qualifies as a breach and what, if any, notification obligations are required of them.
While it’s important to treat every privacy incident as a potential breach, only through a proper multi-factor risk assessment will an organization be able to identify their actual notification obligations, and avoid over-notification to affected individuals or penalties and corrective action plans from regulators.
Multi-Factor Risk Assessment
In many organizations, incident detection falls under the security teams’ domain, while escalation to identify an incident as a privacy incident requires the expertise of privacy or compliance professionals.
Once escalated to privacy, delays may occur because an incident spans multiple jurisdictions. Since each jurisdiction has its own unique breach notification laws, it may take the privacy team longer to perform a full risk assessment for each one.
For instance, If an incident exposing personal health information (PHI) affected 500 people who lived in 10 different states, the privacy team would have to perform a risk assessment against all 10 state breach notification laws as well as HIPAA/HITECH. Without efficient, consistent and scalable processes in place, risk assessing incidents across multiple jurisdictions could easily prolong the overall time from discovery to notification.
As such, inefficiency within multi-factor risk assessment is extremely common. Organizations that fail to properly manage incidents become a cautionary tale among their peers and the reputational damage of a mishandled privacy incident can leave a lasting scar.
Decentralized Incident Intake & Automated Risk Assessment
Security incidents and privacy incidents are never desirable. However, having a consistent, scalable solution for incident intake, risk assessment, and notification decisioning helps establish a repeatable process that streamlines incident response management.
One useful way we’ve found to mitigate risk assessment timelines is to decentralize incident intake. Incident response management tool Radar provides incident guest forms that can be customized and distributed organization-wide to help reduce incident detection and escalation timelines. Furthermore, Radar’s patented Breach Guidance Engine™ maps breach notification laws across every incident to instantly provide guidance for privacy professionals, eliminating the need for hours of jurisdictional research.
With the application of decentralized incident documentation and automation in risk assessment, teams anywhere in the world can record an incident and software can automatically evaluate the full extent of the risk and notification obligations across jurisdictions through a single platform.