How to Slash Time Spent Addressing Contractual Obligations
In any serious privacy incident, regulatory compliance and victim notification are likely to be top of mind for privacy incident response teams. Avoiding regulatory penalties and loss of reputation are obviously core concerns. Yet contractual obligations can add hugely to the burden and costs of privacy incident response—an ongoing burden likely to increase as the business grows.
Finding efficiency and scalability in the contract management side of incident response can yield big benefits, as one of the largest health insurers in the U.S. found when they automated their privacy incident response process.
The Difficulty with Addressing Contractual Obligations
This nationwide health insurance company, serving more than 16 million members across the U.S., was managing an average of 250 reported incidents per month, each of which potentially affected around 10,000 contracts.
A staff of seven full-time equivalent employees was required to handle incident response, with a manual process that took up to two days per incident.
Even so, the insurer’s privacy director was concerned that her team was not able to fully assess the notification obligations contained in the thousands of contracts, leaving the organization at increased risk of fines and penalties.
The organization deployed Radar to help automate their privacy incident response process.
Within months, managing contract obligations had become a non-issue.
The director cites a recent incident that involved state and federal laws and affected 180 contracts.
“Before, this incident would have taken 1–2 days to work through manually. With Radar, our team had all the information we needed right in front of us in minutes.”
From incident intake through investigation, assessment, and notification, Radar saves the incident response team 95 percent of the time they used to spend on assessment. Because all the contract requirements and state laws are built into the tool, and the director says they have instant visibility into notification deadlines, they can easily avoid incurring fines or penalties.
The team is also saving time because they need to review fewer incidents:
“We used to manually review every incident. Now we only review the ones that are yellow on the heat map, making us 50–70 percent more efficient.”
Other benefits include faster incident intake, because the organization’s 50,000–60,000 employees can enter complete incident information directly into Radar, plus improved consistency in incident assessment and reporting.
Between all the efficiencies that Radar made possible, the privacy director expects to be able to reduce the staff time spent on incident assessments by half.
She says without hesitation, “Radar was our privacy program’s big success story this year.”
Topics: Incident Response Management