Privacy Incident Response – A Repetitive Yet Unique Process
In many ways, privacy incident response is a repetitive process. Every incident goes through the same steps: identification and investigation of the incident, assessment, decision, notification (when required), and post-incident analysis.
The paradox of course, is that every incident is also unique. Different jurisdictions, different regulations, and different incident risk factors, all of which contribute to varying notification obligations. And to further complicate matters there is the often steady arrival of new information after the investigation phase is first completed.
Like any repetitive task, incident response can be streamlined through automation and an efficient process, but the solution must be flexible and dynamic enough to adapt to the “predictable exceptions” that arise with so many incidents.
To learn how privacy professionals are walking the line between streamlining and flexibility, we had a panel discussion at our recent virtual RadarFirst User Summit and spoke with:
- Kristen Bewley, Privacy and Regulatory Counsel at Texas Capital Bank
- Michael Davis, Director of the Privacy Office at USAA
- Laura Cummins, Corporate Privacy and Security Officer at Baptist Memorial Healthcare
- Beth Cobb, AVP for Privacy Practices at Unum Group
Here’s a collection of best practices that surfaced from our session as we discussed stage 1 of incident response: Identification and Investigation.
Best Practices to Identify and Investigate Incidents
The first phase of incident response is certainly the most challenging to streamline. This discovery phase includes a number of tasks that privacy professionals must accomplish quickly and with efficiency:
- Identify an incident and create an incident response ticket.
- Determine where to pursue the investigation and who needs to be involved.
- Gather enough information to perform triage: Is the exposure ongoing? Is this an emergency? Do we need to escalate? Is the clock already ticking on a short notification deadline?
- Collect incident data to accurately profile the incident and support the assessment phase.
Who Needs to be Involved from the Start?
One consideration, pointed out by our panelists, is that there are routinely a variety of parties potentially involved in this stage: business managers from the group where the privacy incident occurred, information security, the security operations center (SOC), the privacy team, and corporate counsel.
In healthcare, the incident manager may have to interview people who work odd shifts or are only called in to work as needed. And, depending on the results of triage, the privacy incident may be escalated to the executive team, precipitating the involvement of outside forensics and counsel.
It’s little wonder that 57 percent of finance and 77 percent of healthcare responders in an online poll identified this phase as the most optimal stage to benefit from a streamlined approach.
The first requirement to streamline this phase is to have a straightforward, well-documented process that identifies who needs to be involved and define their roles.
Are We Cultivating Privacy Awareness Within Our Organization?
Our panelists also agreed that training is critical. When you create solid awareness of privacy issues throughout the organization and train employees when and how to report, you can jumpstart the investigation phase.
Some of our panelists put on “Privacy Days,” with fun activities and gifts. Other organizations deploy privacy road shows to train staff in remote offices and generate excitement around privacy. And between major training sessions, privacy teams promote staff awareness through flyers, blogs, articles, and give-aways.
How Do Employees Report Privacy Incidents?
The discovery of a privacy incident is crucial to the efficiency of the identification and investigation stage. When an incident occurs, the proper stakeholders need to be informed immediately. And the more information that can be gathered up front, the more consistent the investigation, and ultimately the faster the response.
Ideally, there should be a single point where incident information is gathered.
Our panelists all use Radar for their incident reporting tool, and most have trained their business staff in how to report using the Radar web form. The web form is customized to the organization’s needs before deployment and it remains accessible to every employee, allowing the privacy team to quickly learn when an incident has occurred.
Some organizations also develop privacy champions within each line of business who can help lead and facilitate the investigation of incidents within their area to foster a more consistent process.
Triage and Incident Investigation
The investigation stage can be subdivided into two phases.
First, there is the “triage” phase to make preliminary determinations about severity, whether the response should be led by privacy or infosec, the need to escalate, and potential short notification deadlines. Most privacy teams aim to complete triage within 24–48 hours.
Our panelists outlined a couple of best practices for triage:
- Gather the most critical information –what data elements are involved, demographics of the affected population, and the applicable jurisdictions–then perform a mini-assessment. For example, if an incident occurred within a U.S. line of business, but may involve some European personal data elements, the mini-assessment might indicate that it should be escalated to your organization’s data protection officer.
- Authorize one or a small group of people to perform all the triage and then document their recommendations. This saves time and helps ensure that triage decisions are made consistently. The person(s) doing triage need to be very familiar with your business, the regulatory landscape, your organization’s specific risks and risk tolerance, and they should know who to involve when there are questions.
The second phase is the traditional privacy investigation that takes place at a more reasonable pace. This phase demands a scrupulous examination of the incident details in order to accurately profile the incident prior to the assessment.
The accuracy of the assessment is wholly dependent on the accuracy of the investigation and forthcoming incident profile.
You might also be interested in:
Topics: Incident Response Management