Privacy Incident Response – A Repetitive Yet Unique Process, Part II
At our recent virtual RadarFirst User Summit we engaged our panelists in a discussion around the five stages of privacy incident response: Identification, Assessment, Decision, Notification, and Analysis. To no one’s surprise the first stage, Identification and Investigation, was singled out as the most challenging stage to streamline.
In their discussion of stages two through five, however, our panelists agreed that as a privacy incident continues to progress through the incident lifecycle new challenges routinely arise that demand creative solutions and indeed, ultimately benefit from a streamlined approach.
Our panelists who contributed and shared their insights are:
- Kristen Bewley, Privacy and Regulatory Counsel at Texas Capital Bank
- Michael Davis, Director of the Privacy Office at USAA
- Laura Cummins, Corporate Privacy and Security Officer at Baptist Memorial Healthcare
- Beth Cobb, AVP for Privacy Practices at Unum Group
Privacy Incident Assessment
According to our panelists and participant polls, the assessment phase of privacy incident response is the second stage most likely to benefit from streamlining.
Assessment is complex because there are so many incident variables to be weighed and considered:
- What data elements were exposed and how are they classified?
- Who and where are the people who are potentially affected by the incident? And are they in vulnerable or protected populations?
- What jurisdictions and regulations apply?
Overlapping Privacy Laws & Regulations
Additionally, there can be multiple, overlapping layers of requirements: international laws such as GDPR, national regulations for different industries or lines of business (HIPAA, GLBA, etc.), and a variety of state laws (CCPA, CPRA, etc.), all of which elicit more questions.
Chief among these questions is: What role does our organization play in this incident?
- Data controller or data processor?
- Covered entity or business associate?
With the additional challenge that regulations and regulatory guidance are constantly changing and evolving, assessment becomes even more of a puzzle.
Automation & the Assessment
In order to streamline privacy assessment, an incident response platform that automates the assessment stage is crucial. Not only is the Radar platform kept current on new laws and regulatory changes, it also promotes consistency in assessments and automatically documents incident data, including every critical detail that has been considered in making a notification decision.
An automated system can also help the privacy team to quickly reassess an incident when new information comes to light later in the incident lifecycle.
Consistency & Streamlining Privacy Incident Response
An additional best practice for streamlining privacy incident response that fosters consistency is to repeatedly have the same set of people conduct the assessment. The panelists agreed that assessors need to be analytical, detail-oriented, and self-motivated. They also need to be able to spot and handle exceptions or special factors that may require outside expertise. For example, a financial institution might have a small line of business that involves medical insurance. If HIPAA compliance is not their core expertise, the privacy team may need assistance from outside counsel to resolve the issue.
Another agreed upon best practice is to establish checks and balances. As an example, a company may enact a policy for incidents deemed high risk to pass through a mandatory review by legal counsel or the CPO before a final notification decision is made. Naturally each organization has its own guidelines for risk, so a final review will help make sure that those criteria are applied with consistency.
A final bit of advice from our panel was to build and maintain relationships with your regulatory partners. Speak to them on a regular basis, so communication and trust are already established when incidents do happen.
Remediation vs Closure
A primary issue that surfaces with many privacy incidents is how to handle remediation. On the one hand, documenting remediation measures is critical to demonstrating your commitment to compliance. On the other hand, some remediation measures take time and will continue long after an incident is effectively closed.
How can a privacy team balance the need to document remediation for each incident with the downsides of keeping incidents open? When we asked our session participants more than half replied that remediation should be tracked separately after an incident is closed.
In fact, as our panelists pointed out, there are potentially two types of remediation for an incident:
- The first is specific to the incident and should be documented in the incident report. For example, there’s an unintended disclosure when someone is emailed the wrong document, but the recipient is able to confirm that they deleted the document without opening it.
- The second type of remediation might be ongoing: documents are being misdelivered frequently because of a coding error within an application, or staff need training to help them identify the correct documents to send.
Integrating Incident Response with Other Enterprise Workflows
Privacy incident response does not exist in a vacuum, so privacy groups are also finding ways to streamline it within the larger business context. Radar customers have integrated their incident response software with GRC systems such as Archer and security systems such as Fair Warning. In addition, Radar now offers two ServiceNow applications, Radar for Security Operations and Radar for IT Service Management. Each of these integrations serve to route privacy-related incidents from ServiceNow into Radar, allowing efficient, collaborative privacy incident workflows across privacy, security, and IT teams.
Streamlining Privacy Incident Response Begins with Measurement
As the great management guru Peter Drucker said, “If you can’t measure it, you can’t improve it,” and incident response is no exception. Most organizations use metrics to track privacy incident data such as causes and notification rates. But you can also use metrics to track and improve efficiency.
Looking at mean time to privacy response (MTTPR) —the time from incident discovery to notification or the decision not to notify—can provide you a metric to work from. (Radar customers can view this metric through the Insights panel.) And comparing your MTTPR with privacy industry benchmarks can tell you how your incident response process is performing.
Simplify Privacy Incident Response Where Possible
Privacy teams need to exercise the courage to simplify the things they can. They can’t simplify the regulatory landscape. Requirements have only become more stringent over time. One of our panelists pointed out that even the more ambiguous U.S. state privacy laws are being interpreted more and more conservatively.
“Regulators are changing the laws that said to notify ‘as soon as possible.’ They know it’s like telling a teenager to get something done as soon as possible. It’s never going to happen!”
What privacy professionals can simplify is the work of incident response, through improved processes, tools, and enabling the right team. Build a team of smart people who are detail-oriented but also see the big picture. A team who has the discipline to follow processes and the good judgement to know when to make an exception. Identify opportunities to automate and integrate. Look for things that repeat, such as incident profiles or notification processes, and standardize where possible. And find things that muddy the process, such as on-going remediation, and find a way to track them separately.
Finally, have the wisdom to know that perfection is not the goal. Every privacy team is trying to improve program maturity while handling day-to-day incident response and remain on top of shifting regulations.
As one astute privacy officer told us, it’s not an exact science. “We practice the art of incident response.”
Topics: Incident Response Management