On the Same Page: How Streamlining Brings Consistency—and Sanity—to Incident Response
Privacy incident response is a fast-moving target. Timelines are shrinking, the number of incidents is growing, and the scope of personal information is always expanding. Privacy teams struggle with manual or outdated processes to handle all this complexity, and it’s just not enough.
In online polls conducted during a recent Privacy Collective/RadarFirst User Summit Q&A session, only 28% said three-fourths or more of their privacy processes are streamlined and efficient.
Clearly, there’s a gap between what privacy professionals need in incident response and what they actually have. Lisa Copp, associate general counsel and chief privacy officer at CNO Financial Group, shares best practices for incident response and how automation streamlines the process.
The 5 Stages of Incident Response
The Q&A session focused on the five stages of incident response:
- Identify and investigate the incident, including cause, scope, and affected data.
- Assess incident risks and the regulatory and third-party contractual obligations that apply.
- Decide whether, and in which jurisdictions, to notify regulators and affected individuals.
- Notify. Send and track delivery of notifications.
- Analyze incident trends and results for continuous improvement of both data security and the incident response process itself.
Of these five stages, 58% of participants in a second online poll said identifying and investigating incidents would benefit most from streamlining. The results didn’t surprise Copp. “All of us have dealt with incidents,” she said. “They’re so fact-sensitive. You can’t just say you have this type or that type. Even with something that looks very cut and dried, the facts are so nuanced. The next phases are all going to build on that initial investigation. How will I assess this? What will the decisions be? What is the risk to the organization?”
What are the benefits of streamlining the incident response process?
“To start, everybody is working from the same set of facts. Before we streamlined, it was very difficult to have a consistent way and rhythm of investigating incidents and getting on the same page with the stakeholders in the business: IT, compliance, or legal teams. That was a big thing for us.
“And since we streamlined, we put in a process for identifying ‘hot jurisdictions’ [those with more stringent notification timelines]. These timelines aren’t at the forefront of my mind anymore. If an incident occurs in one of these jurisdictions, we can prioritize them and get notification out even faster.”
Streamlining also helps Copp and her team avoid the pitfalls of over-notifying, which can lead to even greater regulatory oversight. “Our company’s internal approach is that we always want to err on the side of caution when informing consumers,” she said. “But our obligation to notify a regulator is very much based on what that legal burden is. We don’t notify because it’s a nice thing to do—we notify based on very specific aspects of the law.”
How important is cross-functional collaboration in streamlining incident response?
“It’s really important because privacy is about people, and that hits every department that every organization has. Cross-collaboration gets us to look at an incident through the same lens and operate on the same set of facts. It not only helps with a particular incident, it helps you drive that maturity across your organization, for your stakeholders to know how to identify an incident, recognize a possible risk, and mitigate the privacy impact of that risk.”
How does automation improve incident response?
“Automation allows the organization to do things consistently. A consistent investigation allows me to take a certain set of facts and put it in context more consistently. Then I’m able to, again, more consistently assess, and have more consistency and repeatability in each phase.
“Ultimately, a regulator may decide that you’re wrong and say an incident should have been reported. But the automation and streamlining shows you got there reasonably. I no longer have any concerns about being able to clearly demonstrate that we got there reasonably based on facts that were reasonably assessed and reasonably validated.”
How does automation help you demonstrate a consistent, defensible incident response process to regulators?
“We have so many breach notification laws that are tied to some flavor of a harm trigger. Without that consistency, it’s not helpful to say, ‘Well, I think no one’s harmed. you know.’ It’s not very persuasive. You need to back up your analysis with the facts of the incident and be able to demonstrate how you applied these facts to this relevant law.”
Do you feel automating the incident response process is a threat to privacy professionals?
“No. A thousand times no. No part of incident management or incident response is a widget— purely a check-the-box activity. Streamlining this process with automation and technology lets privacy professionals do their job better. It lets you demonstrate value, quantify why it’s valuable, and do more with less.
“We’ve seen that in our team. Back when everything was very manual, we didn’t have the time in the day or the brain space to think about how to actually prevent or truly minimize the likelihood of a certain type of incident from occurring again.”
What is the greatest advantage of streamlining incident response?
“Consistency. When you are able to achieve consistency, the other things seem to come along for the ride. If I have consistency and repeatability in my analysis, then I get defensibility. That drives efficiency and ultimately cost savings. I don’t know how you get to defensibility or cost savings very easily, unless you start with consistency.”
How do you ensure consistent analysis from incident to incident?
“Start with a framework that allows for strong cross-functional collaboration. We’re gathering the relevant facts and putting them in the context of these very nuanced fact patterns. If you can start with that, you’ll have fewer different viewpoints for the outcome. Automation helps, because you can document your analysis of an incident. If a similar incident occurs, you can look back and see how you analyzed the earlier incident. You can ask, ‘Do I have a new fact I don’t know of that’s caused my analysis to be different this time around?’”
What final advice do you have for privacy teams?
“Learn everything you can about very small incidents. You’re not under stress when you’re evaluating if an email was accidentally sent to, say, Bob, your brother-in-law, instead of to Bob in HR. Evaluating incidents like this gives you an opportunity to learn so much about your organization, at levels that you never thought you would know. Learning these things makes dealing with larger incidents much easier and much less stressful.”