How to Use 2020 to Improve Your Privacy Incident Response
Maybe it’s just a sign of this time of year, but I’ve found myself preoccupied lately with performance statistics. For instance, fitness trackers, always so popular in January as we make our resolutions to undo the effects of end-of-year celebrations and hearty meals.
Fitness trackers allow us to see how we’re performing against our own best metrics.
- Did you walk 10,000 steps today?
- Have you been keeping to your goal for climbing stairs?
- Are you getting the right amount of deep sleep?
These trackers will not only prod you to act, but are also helpful in giving you a reasonable starting place — providing you with the performance targets others are going after.
At the end of the day, there are countless ways to measure your performance, and it’s easy to get lost in the sea of data. That’s why it’s important to cut through the noise and identify the most important, most impactful metrics to focus on for your personal fitness.
Last October, we announced the metrics we will provide at the beginning of each new quarter. The time has come to review key incident response metrics and see how your company compares with established industry benchmarks.
Quarterly Incident Response Metric #1: What percentage of incidents rise to the level of a notifiable data breach?
While every incident involving unauthorized disclosure of regulated data is presumed a notifiable breach, not every incident rises to a data breach if properly managed.
Most jurisdictions accommodate sufficient incident risk mitigation that must be proven using a consistent multifactor risk assessment. Once risk mitigated and assessed under jurisdictional requirements, our incident meta data demonstrates that organizations are able to reduce their breach notification obligations to just a small percentage of their overall incidents, thanks to incident response automation best practices.
The last three months of 2019 saw a continuation of that trend, holding fairly consistent with the numbers we saw through the whole of 2019.
Your New Year’s resolution for this metric = Always assess every incident, every time.
Given the breach presumption, every single incident requires a consistent, defensible and documented multifactor risk assessment to make the final notification determination and ensure proof of compliance. The burden of proof is on the organization to justify its decision, as well as document and demonstrate a consistent risk assessment that provides the required proof.
Quarterly Incident Response Metric #2: What is the disposition of incidents — are they malicious in intent?
Despite the prominence of hacking events and nefarious actors in the news these days, for most organizations, the majority of their daily privacy incidents can be attributed to plain old human error or unintentional process breakdowns. Last quarter showed steady results when it came to the disposition of reported incidents.
Your New Year’s resolution for this metric = Do not underestimate the everyday risks posed by plain human error. Account for it.
Process breakdowns and poor employee training are commonplace, and the human element of your businesses isn’t going away.
Build your program to reduce but account for human error: Button up security controls, implement regular training programs, and monitor the source and volume of reported incidents to keep identifying trends.
Quarterly Incident Response Metric #3: How long does it take to discover an incident and provide notification to affected individuals?
Today’s pace of business isn’t slowing down any time soon, and neither are the regulatory requirements to provide notice of a breach to regulators and affected individuals. Time is of the essence when it comes to discovering, assessing, and resolving incidents and data breaches.
So how did organizations do at the end of 2019? For the most part, the speed of incident response remained steady with the average pace of the year.
Your New Year’s resolution for this metric = Race the clock, and always strive to set a new personal record.
No matter how rapid your privacy team is in response, there is always room for improvement.
Whether your team is doing the privacy equivalent of running a four-minute mile or just starting out a couch-to-5K program, identifying areas you lag behind your peers and implementing automation or process improvements can only benefit your overall program results.
Looking ahead to 2020
If there’s one constant we can count on as privacy professionals, it’s that incidents involving private, protected information are inevitable.
When it comes to data breaches at your company, the question isn’t if, but when.
Before you let that fact settle in (and your fitness tracker starts noticing an uptick in your heart rate) consider this: How you manage these incidents can be a huge differentiator for your company and, in fact, work in your favor.
Establishing proven risk mitigation efforts, performing a consistent and defensible multifactor risk assessment of each incident and documenting your burden of proof every time can mean a world of difference in setting your company apart as having a mature incident response program.
The ultimate goal of providing you these benchmarking statistics is to allow you to start out 2020 on the right foot, and that means pinpointing programmatic improvement opportunities that:
- Reduce risk: Both the risk of regulatory enforcement or damage to your organization, but also the risks to your data and to the individuals whose data you are entrusted for safekeeping.
- Accelerate incident response times: Both because faster response times means meeting regulatory requirements to notify, but also it reduces your organization’s risk surface by reducing the time frame in which incidents can linger unmitigated and unresolved.
- Build trust: By ensuring your organization remains a good steward of data, you build trust and grow brand equity to regulators, industry partners and peers and the public whose data you hold.
Key definitions used in this article:
- Incident: Unauthorized disclosure of personal information in which multifactor risk assessment is performed to decide whether it is a breach.
- Intentional, malicious: Incident resulting from malicious actions, such as theft, a computer virus or unauthorized access in which the intent is to cause harm.
- Intentional, not malicious: Incident resulting from non-malicious actions, such as disclosure, unauthorized access or employee snooping in which the intent was not to use the information to cause harm.
- Unintentional or inadvertent: Incident resulting from inadvertent actions, such as misdirected faxes, accidental emails, unintentional posting or mailing of statements, or unintentional mailing of billing records to the wrong recipient.
- Breach: An incident that requires notification to impacted individuals.
- Occurrence date: Date the incident took place.
- Discovery date: Date the entity became aware of the incident.
- Notify date: Date of first notification to regulators or individuals.