How Do You Define Privacy Risk?
Assessing Privacy, Security, Regulatory and Legal Risks
Privacy is a risky business, and the message is spreading outside the privacy team. Boards and investors are recognizing that privacy risks are an important factor for investor confidence. Organizations are also becoming more aware of the privacy risks lurking in their third-party relationships.
The need to manage privacy risks is underscored by the 2022 Verizon Data Breach Investigations Report which found an average data breach cost of $4.35 million, which has climbed 12.7% from USD 3.86 million in the 2020 report.
As breach costs increase, the return on risk management efforts also increases. But with competing business initiatives vying for budget, how does an organization decide where to invest its finite funds? And how do you define privacy risk?
Fortunately, risks are not equal across time and place. The art lies in understanding the risk profile of your organization, then using that knowledge to guide ongoing investments in privacy and security.
Areas of Risk
Privacy risks (and spending) fall into two big buckets: prevention and response. Information security and privacy programs are critical to helping prevent data breaches. But no amount of spending will provide 100% protection, so investment must be balanced between pre- and post-incident preparedness in a way that makes sense for the organization.
The Verizon DBIR study breaks out post-breach costs into four areas:
- Detection and escalation
- Post-breach response
- Lost business
The largest share of data breach costs in 2022 was detection and escalation.
These averages can be helpful in guiding privacy and security spending but they vary widely across industries and jurisdictions, so each organization needs to understand its own risk profile.
Let’s look at some factors to consider in different risk areas and some risk management strategies.
From The Privacy Collective Session 5, Rosemarie Morgan, CPO at Brighthouse Financial said, “In this industry [financial services] and the insurance industry, we are trusted with so much valuable personal information, that the reputational harm is exorbitant. It’s a cost that can’t be quantified – it’s huge! This can’t be sacrificed, this is everything.”
Privacy and Security Risks
Breach prevention is and should be the first priority, and information security rightly garners the lion’s share of privacy and security budgets in most organizations. Even so, privacy programs are an important part of prevention, and many merit a higher share of budget than they get.
For example, the Verizon study found that in 2021, compromised credentials were the most common attack vector, accounting for 19% of breaches. All the cyber-security in the world won’t protect a system if an attacker can waltz right in using a stolen password.
So, if an organization has large numbers of employees, customers, or partners accessing business networks – privacy awareness and training programs should also be a priority.
Organizations can also save money by investing time and resources in “soft” mitigation activities. Having privacy and security teams get involved in new business initiatives on day one can save money by building safeguards right into systems and processes. And building and maintaining data maps can proactively identify privacy and security gaps.
Future risks can also be identified through post-incident results: an automated incident management platform can provide benchmarks and metrics to identify emerging problems before they cause breaches.
Regulatory risks, including audits and fines for non-compliance, are highly dependent on jurisdiction and industry. Medical organizations can face severe penalties under HIPAA regulations in the U.S., with maximum penalties of $25,000 per civil violation ($50,000 plus jail time per criminal violation).
On the other hand, the U.S. has no national privacy law with mandatory penalties, whereas GDPR violations in the EU can carry fines up to €20 million or 4% of annual global turnover (gross revenue), whichever is greater.
An organization in a highly regulated industry or jurisdiction needs to ensure that policies and procedures meet privacy requirements and that all incidents are handled correctly and within regulatory deadlines. Privacy teams need budget and resources to keep policies and processes up to date, train staff on them, and monitor to ensure they’re being followed.
An automated incident management platform can help ensure timely and consistent incident reporting, assessment, and notification, and it can help free up time for the privacy team to work on other aspects of compliance.
Legal risks around privacy are also very much dependent on jurisdiction. Regional regulations, such as GDPR and some of the 13 national privacy laws modeled after it, provide for an individual right of action in case of privacy violations.
While the U.S. has no national privacy law, the California Consumer Protection Act (CCPA) and some state laws modeled after it provide for individual right of action, and other state laws empower their Attorneys General to take legal action on behalf of breach victims.
A multi-national and/or multi-state business, especially, needs to stay on top of legal risks in all applicable jurisdictions and be prepared in case legal action does arise. The compliance officer and counsel need to stay on top of developing regulations and case law and anticipate issues.
Cyber liability insurance should be reviewed regularly to be sure it’s adequate to cover potential legal costs. And the incident response process and tools should automatically capture and document information that might be needed in case of litigation, including incident specifics, incident mitigation, risk assessments, criteria behind notification decisions, and notification and other services provided to victims.
The Outsized Impact of Incident Response
Over the years that Ponemon has been producing its CODB report, lost business has consistently been the largest cost resulting from data breaches. And other, longer-term studies have shown that those losses can go on for years.
The obvious takeaway is to prevent breaches at all costs, and the 2022 DBIR report did show that security automation and a “zero trust” security model lowered costs by reducing the time to identify and respond to a breach.
But the study also found that incident response readiness had a huge impact on costs: incident management teams that tested and streamlined their incident response processes reduced the average total cost of a data breach by $2.66 million.
The impact isn’t surprising when you consider that all the other risks and mitigations come together in incident response.
- An undetected incident can continue to expose more data. System monitoring and automated incident reporting can help spot an incident early, enabling containment and mitigation.
- Early warning allows the PR team to proactively manage communication about the incident to minimize reputational damage.
- With automated risk assessment tools and a tested process, the incident management team can quickly make notification decisions to meet deadlines in all applicable jurisdictions and avoid regulatory penalties.
- An automated incident management platform can also create the documentation that will be needed to mitigate regulatory and legal risks.
The Art and Science of Managing Privacy Risk
Balancing privacy risks and investments is definitely an art. Decision-makers have to look at all categories of risk—information privacy/security, regulatory, legal, and business—in the context of their own unique organizational footprint, processes, budgets, and risk tolerance.But there’s one area where the data is clear: incident management. Forming a cross-functional incident management team and empowering them with the right tools can have a huge financial impact on breach costs for a relatively small expense. At least that one decision should be easy.