Constant threats to sensitive data lurk in every corner of your organization, from hard-to-detect malware to busy employees. Thus, you can bet with 100% certainty that your organization has had, is having, or will have a data privacy incident—numerous incidents in fact. Each incident must be risk assessed against the latest breach notification laws to determine if you have a notifiable breach on your hands.
Of course, you can’t assess the incidents you don’t know about, so the first challenge in managing incident response is detection. The difficulty in identifying incidents can cause a significant delay from the time of occurrence to discovery—an average of 66 days, according to the BakerHostetler 2018 Data Security Incident Response Report. Anonymized incident metadata available for analysis within the RADAR platform reflects a somewhat shorter timeframe of an average of 35 days.
There are many reasons for such delays. Employees trained six or nine months ago on the importance of timely incident reporting forget and delay or miss reporting an incident. Or perhaps employees are not too familiar with what constitutes an "incident" to begin with. Say a human resources manager accidentally puts documents containing an employee’s social security number and other sensitive information in another employee’s folder. The second employee notices the error and returns the folder to the HR manager, who may not realize until a privacy training three weeks later that an incident occurred. These events are far more common than you might think.
Another issue is incident escalation, which is the time from discovery to notification. In the BakerHostetler report, this was an average of 38 days. RADAR metadata shows an average of 22 days. The shorter incident reporting and escalation timeframe found in the RADAR metadata reflects best practices in streamlining incident-response management. Automation through RADAR speeds the time it takes to document, risk assess, and rank the level of severity and data sensitivity in privacy incidents. Thus, the data tends to represent a shorter incident lifecycle than for privacy teams who use manual solutions and spreadsheets for incident response.
With incident escalation, delays may occur because an incident spans multiple jurisdictions. Since each jurisdiction has its own unique breach notification laws, it may take the privacy team longer to perform a full risk assessment for each one. If an incident exposing personal health information (PHI) affected 500 people who lived in five different states, the privacy team would have to perform a risk assessment against all five state breach notification laws as well as HIPAA/HITECH. Without efficient, consistent and scalable processes in place, risk assessing incidents across multiple jurisdictions could easily prolong the time from discovery to notification.
Efficiency in Incident Response Management
When it comes to managing an incident, efficiency and timeliness are key components for compliance. Measuring the length of time it takes your organization to discover, document, risk assess, and provide notice on a data breach will help you better identify areas that could use improvement. Monitoring and tracking this information over time will build up benchmarks against which you can measure the effectiveness of your incident response program.
Improvement is critical, because as the BakerHostetler report notes, “[State attorneys general] are looking beyond the number of affected residents to explore an entity’s ‘systemic issues.’ Those that are slow to investigate, are slow to notify and experience repeat data incidents may be especially vulnerable.”
State AGs aren’t the only ones putting your organization under scrutiny. Sector-specific and international breach recordkeeping and notification laws mean a lot of regulatory eyes are focused on the way you manage incident response as a whole.
To manage regulatory risk and maintain an effective incident response lifecycle, be sure your organization:
- Has streamlined incident intake and escalation
- Performs consistent multi-factor incident risk assessments
- Executes timely notification
- Has the tools to produce real-time trend analysis & actionable insights from the privacy program
- Is always current with changing global breach regulations
However, “systemic issues” may hinder your ability to detect and escalate incidents and thus manage your regulatory risk. These issues can include inadequate mechanisms for reporting incidents across the organization and a lack of coordination between privacy and other departments to escalate incidents to the privacy team.
As your organization’s data grows in volume and complexity, the need for timely, efficient incident detection and escalation will only increase. Regulator scrutiny and customer awareness of data privacy rights are also increasing.
That’s why privacy-minded organizations are using purpose-built SaaS solutions to streamline and automate incident response management - and thus help reduce the time to discovery and notification in the incident-response lifecycle. These web-based tools allow employees to quickly and securely report and escalate incidents to internal investigators for follow up. And APIs that integrate detection systems, such as GRCs or SIEMs, with incident response management solutions can expedite incident reporting.
Stay tuned for the next post in this series, which will cover the second challenge: complex breach notification requirements. You can also learn more by downloading the free whitepaper: The 4 Challenges of Managing Incident Response.