Wherever data goes, risk follows close behind, particularly the risk of unauthorized access and disclosure—in other words, a data privacy or security incident. Whether they realize it or not, every organization regardless of size or industry has experienced and will experience their share of privacy incidents.
To mitigate risk to their brand, customers, and employees, organizations must learn to properly manage their response to these incidents. This is especially critical as global privacy laws tighten, definitions of regulated data broaden, and customer awareness of their data privacy rights increases.
Yet restricted budgets and inefficient processes hinder even the most privacy-minded companies. Privacy professionals and their colleagues must find a way to break through these challenges and create a consistent, defensible, and scalable method for managing incident response—including compliance with breach notification obligations.
This article is the first in a series discussing the challenges of managing incident response, and how privacy teams can overcome these obstacles to create a privacy program that protects both your organization and the people you serve.
Challenge #1: Incident detection and escalation
Data privacy incidents come in many forms, not all of which are readily and easily detectable. These can range from a misdirected fax to fast-evolving malware. As a result, there can be a significant delay from the time the incident actually occurred to the date the organization discovered it—an average of 66 days, according to the BakerHostetler 2018 Data Security Incident Response Report.
Another issue is incident escalation—that is, the time from discovery to notification. In the BakerHostetler report, this was an average of 38 days. Anonymized incident metadata available for analysis within the RADAR platform reflects a somewhat shorter timeframe of an average of 29 days.
Challenge #2: Complex breach notification requirements
Data privacy laws—especially those with a breach notification component—are more stringent, specific, and numerous than ever before. The constant shifting of regulations makes compliance not a one-and-done activity, but requires constant vigilance to keep abreast of changes. A 2018 Thomson Reuters report on compliance noted that there is an average of 216 regulatory alerts a day.
In addition to broadening the scope of regulated or personal data, many laws have more specific requirements about notification content and timing. In whatever manner the laws may change, regulators take noncompliance seriously, both in the United States and internationally. Uber was fined $148 million for waiting a year to notify its drivers that hackers stole their personal information.
Challenge #3: Lack of budget
Privacy budgets—including incident response management—have been traditionally low, especially when compared to infosec or IT expenditures. GPPR is changing much of that. The 2018 IAPP-EY report notes “that organizations have bulked up their privacy teams, tackled the hard work of implementing GDPR programs [and] spent a lot of money to get there (an average of $1.3 million, with an additional $1.8 million expected).” And compared to 2017, a greater share of privacy spending in 2018 went to outside counsel (up 15% from 11%), and technology and tools have increased from nine to 12%. Yet 65% of respondents feel their privacy budget is not enough.
Challenge #4: High cost of inefficient processes
Time spent manually researching laws, conducting risk assessments for breach determination, and creating board reports could be better spent on higher-value and mission-critical work, such as training or policy-making. Scaling the privacy program to meet growing business needs—such as GDPR compliance—without adding headcount is difficult.
Inefficiency also breeds subjective decision making, which leads to issues with noncompliance and the danger of over- or under-reporting. Longer lag times from incident discovery to notification increases the potential risk of fines. In addition, contractual obligations with clients often require shorter notification periods.
As regulations change almost overnight and as privacy teams compete for limited budget dollars, the challenges of incident response management continue to increase. Organizations need an efficient, effective method for detecting, reporting, escalating, risk assessing, and providing notification on the large volumes of inevitable incidents they experience. This requires operationalizing the incident response processes in a way that is:
- Consistent for all incident types
- Scalable to easily meet demand
- Repeatable and defensible to meet burden of proof requirements
Many organizations have successfully met these challenges with RADAR, a SaaS, purpose-built solution that offers consistent, automated risk assessment and breach notification guidance in compliance with the latest regulations.
Stay tuned for the next post in this series, which will cover the first challenge in-depth: incident detection and escalation. You can also learn more by downloading the free whitepaper: The 4 Challenges of Managing Incident Response.