There’s no doubt about it: successful privacy incident response can be like trying to hit a moving target while standing on quicksand.
With over 100 new privacy laws going into effect just in the last two years, fast-changing business technology from AI to ad tech pushing the definitions of privacy, and new data security threats cropping up constantly, preparing to respond can be daunting. But, as Alice in Wonderland author Lewis Carroll wisely and whimsically suggested, the key is to know where you’re going.
How to know where you’re going was also the topic of a recent webinar, Privacy Incident Response 201: Implementing Your Incident Response Program. According to the presenters, the foundation for a successful IR program includes knowing the needed component, tools, and the key measures of success for each stage of the privacy incident response lifecycle.
If you had to sum up the overarching goal of an incident response program in 25 words or less, you couldn’t do much better than the definition presented by Neva dePalma:
“Strive for an incident response process that is fast, efficient, and leads to decisions that are defensible to regulators and effective at protecting affected individuals.”
(Twenty-five words exactly. If you need an IR elevator pitch for your management team, here it is.)
There is no one-size-fits-all incident response program.
Different organizations have different risks, regulatory requirements, and contractual obligations. That said, there are key components and goals that will apply to most organizations at each stage of the incident response process:
- identification and investigation of an incident
- risk assessment
- the decision whether, whom, and how to notify
- the notification phase
- post-incident analysis and reporting
Identification and Investigation
One key goal of the identification and investigation phase is that the incident information captured is sufficient to complete an accurate risk assessment.
A key component for meeting that goal is to deploy a protected and centralized tool for employees to report an incident and escalate details to the necessary IR team members, so that the details are captured quickly, documented, and accessible in one place.
Risk Assessment and Decision
Key goals of the risk assessment and decision phases are that assessments are based on complete, up-to-date evaluations for all relevant regulations and jurisdictions, as well as contractual obligations, and that notification decisions are based on consistent, objective criteria.
One important component to help achieve these goals is an expert tool that can apply an up-to-date, complete global knowledge base of regulations and contract terms to each incident and make objective notification recommendations for each applicable jurisdiction.
In the notification phase, tracking and documentation are critical goals.
A successful incident response program will have consistent, scalable tools and processes for delivering notifications and automatically tracking and documenting successful and unsuccessful delivery.
And finally, the analysis phase needs to inform the whole process, so it should be easy to visualize data and report on incident causes, severity, volume, and other trends.
Each phase of the response process has multiple success criteria. Your criteria may be slightly different, and needs and priorities will change over time, with business, technology, and team changes. But if we take the time to identify our goals—unlike Lewis Carroll’s Alice, who “generally gave herself very good advice, although she seldom followed it”—our roads can all lead to the mature incident response programs we are seeking.