Remove Subjectivity and Streamline Data Breach Decisioning: Lessons from Live Q&A
In the latest session of The Privacy Collective, we discussed how privacy teams can improve consistency in incident response, build team collaboration, and eliminate the subjectivity inherent in breach decisioning.
Data breaches are on the rise and the cost of non-compliance is exponentially increasing. It’s more important than ever to evaluate your organization’s breach notification decision-making process to ensure consistency and efficiency.
In this session of The Privacy Collective, we invited special guest, Laurie Radler, AVP, Chief Privacy Officer at Healthfirst, to share her experience in breach decisioning from a healthcare perspective.
The healthcare industry had the highest average data breach cost for the twelfth year in a row. The cost of a breach in this industry went up by 42% since 2020, and is only expected to grow. It pays to invest in technology and tools to not only prevent the occurrence of breaches, but also to mitigate the fines and penalties associated with non-compliance.
“The cost of a breach in the healthcare industry went up 42% since 2020. For the 12th year in a row, healthcare had the highest average data breach cost of any industry.” – IBM Cost of a Data Breach 2022
Laurie’s primary responsibility at Healthfirst is to oversee the privacy program and ensure her team is doing everything they can to promote privacy awareness throughout the organization. In her role, she represents Privacy in all enterprise projects where PHI data is used, disclosed, or retained. She works closely with other departments to design mature privacy controls. Laurie has a small, but mighty team, so efficiency is a must when it comes to incident management.
In the thirty-minute discussion hosted by RadarFirst’s very own, Lauren Wallace, Chief Privacy Officer and General Counsel, we covered the following topics:
What’d You Miss?
- The complexity surrounding breach decisioning
- Why consistency is key within incident management
- Using automation to prepare for the unexpected breach
- Words of advice for breach decisioning and incident response
Complexity Surrounds Breach Decisioning
To notify or not? That’s the most important question. And one that can have different consequences depending on which way your organization leans.
Removing the inherent subjectivity in breach decision-making may seem like an impossible task. However, it’s been actualized with one intelligent, automated solution.
Laurie provides a glimpse of what life was like before her team had an automated decision support platform:
“We saw that certain members of our team leaned more towards member notification of an incident. Sometimes, even if there was no real breach, just to let them know.
And then we had other members of the team lean the other way, not to report unless absolutely necessary. But now, again because of the objective criteria and [improved] knowledge base, we took that out of the picture.
Also, when you had various reporting timeframes like 72-hours for the Department of Financial Services in New York, 60 days for OCR, et cetera, I’m wasting time in discussion and coming to that breach, no breach decision. It created an unnecessary risk to our organization.”
Breach decisioning requires extensive legal knowledge of applicable state, federal, and international notification obligations and reporting requirements.
Staying current with existing and proposed privacy legislation is daunting for just one person and costly to rely on outside legal counsel.
Laurie shares, “… keeping up with the various state rules would be very labor intensive if we didn’t have the knowledge base of all the various laws”
She continues with additional insight, “Since I’m not a lawyer, and the people on my team are not practicing lawyers, it’s important to have the proper legal interpretation of the rule and whether or not an incident rises to the level of a reportable breach.”
Who’s Involved in Making the Breach Decision?
It takes a village to reach a breach notification decision. To streamline decision-making, you need a collaborative process in which every stakeholder can share relevant incident details (at any given time in the incident lifecycle). This will not only accelerate the initial risk assessment, but will improve remediation timelines. Centralizing this process helps connect teams and increase visibility across the organization.
Laurie describes some of the complexity behind the breach decisioning process:
“I think making sure that we have all the information that we need to perform the initial risk assessment and also to do subsequent assessments if more information comes forward. We have to make sure that we collaborate with the right teams and the right questions are being asked and answered, and that includes executive leadership.”
Laurie’s team collaborates frequently with other departments on key incident details. She shares how important it is to have a centralized approach so that specific stakeholders can play their role. This approach allows for greater incident awareness and improved response across the organization.
Arriving at the Breach Decision
What used to be a fragmented process of delayed communication across departments, has now been consolidated into an easy to use, centralized process.
Using its patented algorithm, RadarFirst provides breach decision guidance in seconds. This is huge for organizations with small teams like Laurie’s, where breach decisioning could take days to complete – delaying remediation timelines and holding back employees from other critical tasks.
Without automation, “… the decision whether or not to notify the Member (in our case) is much more difficult when we don’t have a repeatable objective process.”
Everyone Should Be Able to Run Point from the Privacy Perspective
Laurie describes two of the best outcomes from using an automated decision support platform are objectivity and having a repeatable process.
“Having this streamlined, well-documented process allows anybody on the privacy team to be the point person for that incident. I’m the privacy officer, but I may be on vacation, you know, or out sick or what have you. Anybody can run that playbook and that’s crucial when you have a very small team. Everyone should be able to run point from the privacy perspective, so I would say that that’s really the biggest benefit. But of course, like I said, we have other work that we need to do and so it does free up time for more critical tasks.”
Why Consistency is Key within Incident Management
Consistency is critical within incident management, especially when your decision could impact brand trust.
Laurie tells the audience, “Once you declare that you have a breach, you can’t really roll it back and say, oops, we made a mistake because that erodes trust. And if you do have a breach, you really need to have lots of things in place to be responsive to your Members, your patients, your customers, so that you don’t lose that trust.”
Over- and under-notification can have an impact on an organization’s reputation. Striking that perfect balance is key.
Laurie has a similar view, “I think both over- and under-reporting can affect your brand. Our Members trust us to protect their data and any mistakes can erode that trust. We clearly don’t want to report when it’s not necessary. If Members receive notification letters often, they get nervous and they call us — they want to know what this means, they really don’t know what this means, and it becomes a fear of identity theft. Reporting when we don’t need to really can create member abrasion.”
Hyper-notification can also cause fatigue among consumers. If you receive notification letter after notification letter in the mail, it may actually suppress responsiveness and the actions consumers might need to do to protect themselves.
The erosion of trust impacts a consumer’s decision to buy. How profoundly does it impact their decision? Well, 71% of consumers say they’re unlikely to buy if a company loses their trust.
Safeguarding brand trust has become so important to organizations in every industry. We’ve even seen a new role emerge in the C-suite to do just that.
“87% of executives think customers highly trust their companies when only about 30% do.” – 2022 PWC Trust in the US Business Survey
For healthcare, it’s all about protecting patient data. Data is currency.
Laurie shares, “We have an enormous amount of healthcare data of a person’s most private information, and that’s basically, you know, that is our currency is data. So protecting it above all else is extremely important. However, you know in the hospital setting, I was a compliance officer and a privacy officer in the hospital setting, you know, we need to take care of patients. So, basically every dollar you might spend on information security and securing your perimeter and defending against attacks is a dollar that’s taken out of patient care and a lot of hospitals have very, very thin margins. So, I think it’s much more difficult on the hospital side and in terms of us, you know, we’re very fortunate that we have the board’s 100% support on having sophisticated information security tools and that’s great.”
Develop Playbooks for Incident Response
Laurie shares how teams can further employ objectivity into the decision-making process by creating well-documented playbooks for response. She emphasizes the importance of constantly updating and improving these procedures.
She describes one of the biggest challenges before creating a centralized approach was “not knowing who’s in charge of the incident response.”
She continues, “ Security has their playbooks and their procedures, but there are a lot of other stakeholders involved in breach notification – Legal and Communications. If we’re trying to figure out when Communications needs to be involved [and when they need to] start developing those communications, it’s too late. It’s just unnecessary. We hurry up at the end and we don’t want to run out of time. So, having that playbook is key.”
Establishing playbooks is the first step to maturing your privacy program, but practice makes perfect.
Laurie adds, “Tabletop exercises are a must and debriefing is key. We come to this exercise to be better in what we do, so we really have to come in with an open mind and we have to play out various scenarios to see where our weak spots are.”
The Importance of Showing Your Work to Regulators
The way in which you respond to each incident needs to be consistent and defensible, so that when you are asked by regulators how you arrived at your breach decision, you have well-documented proof.
Laurie stresses the importance, “Your response has to be defensible. So, we’re always prepared to show our regulators our work. That’s really key. And depending upon the nature of the incident, like we send a miss mailing, and not a miss mailing of sensitive information, but just we sent something with PHI like an EOB to somebody else versus a cyber incident where there’s exfiltration of PHI data, being able to rely on that playbook really takes the guesswork out of the processes. Every party knows their responsibilities and when certain actions need to be triggered – like notifying a Regulatory agency. We have that documented, so there’s no guesswork. And number two, the clock is ticking, so to speak. So we don’t want to waste time figuring out, for instance, when communications need to be brought in to help with messaging to internal stakeholders, the board, regulatory agencies, et cetera. We have a playbook, and we know when these leaders need to be pulled.”
How to Prepare for the Unexpected with the Help of Automation
“Your baseline shouldn’t be the baseline. It should be ‘where are we now?’ and then built from there.” – Lauren Wallace, Chief Privacy Officer and General Counsel at RadarFirst
Privacy rules change all the time and there’s only ever more, not less. So how can modeling, using tools for modeling and automation, help accelerate privacy program maturity?
Laurie resonates with advice shared at this year’s RadarFirst Privacy Summit.
“So, during the last Radar summit, one of the speakers brought up using decision support to basically run a tabletop exercise. We’ve talked about this, and I really liked this idea because we never know when an incident is going to happen and who’s around to handle it. As we get more innovative, for instance, as we expand our digital footprint, that’s something again we would have to practice. So, I really liked the idea. I think it’s very innovative and I think it also helps move the program further in the maturity scale.”
Accelerating maturity is on everyone’s mind as we move into the new year.
Laurie continues, “We had a maturity scaling consulting project with an outside firm a while ago and we were rated as a three, which was great, but knowing that to get from three to four is an exponential mountain to climb, it’s a steep mountain to climb, I guess demonstrating the movement by using tabletops, it’s a strategic activity and it really goes beyond the routine processing of incidents. Instead of focusing on the daily blocking and tackling, it demonstrates also to executive leadership and the board that we’re being thoughtful and we’re being innovative as we improve our program.”
Using automation to model unique scenarios helps provide interim metrics to report to leadership and the board that illustrate your team’s ability to respond. It proves your team is developing strategic plans that respond to new products, new changes in the market, and new customer growth.
Words of Advice for Breach Decisioning and Incident Response
Laurie leaves us with some final words of advice for streamlining breach decisioning.
→ Automate your process.
→ Document your process with playbooks, et cetera.
→ Practice with tabletop exercises and when you do that post-mortem, don’t take feedback as criticism.
→ Adopt a growth mindset – discuss “what we did well” and “what we could have done better” to mature your program.
→ Stay current. Attend educational networking events on this topic. There’s a lot out there to read and to study, so stay current.
Resources to Improve Breach Decisioning and Improve Consistency
Looking to simplify your breach decision-making process? Check out our free guide for download, How to Fix an Inconsistent, Manual and Painful Privacy Incident Response Process.
In this guide you’ll learn how to:
→ Ensure consistency when assessing incidents
→ Make incident response processes efficient, scalable, and cost-effective
→ Keep up with and meet changing regulatory deadlines
Watch The Privacy Collective On-Demand!