Wherever data goes, risk follows close behind, particularly the risk of unauthorized access and disclosure—in other words, a data privacy or security incident. Every organization, regardless of size or industry, has (and will) experienced their share of privacy incidents. Given that, how can teams address the top 4 difficulties in managing privacy incident response to build a successful privacy program?
Organizations must learn to properly manage their response to these incidents to mitigate risk to their brand, customers, and employees. This is especially critical as global privacy laws tighten, definitions of regulated data broaden, and customer awareness of data privacy rights increases.
Budget and inefficient processes restrict even the most privacy-minded companies.
Privacy teams must find a way to break through these challenges and create a consistent method for managing privacy incident response to stay compliant with data breach notification obligations.
This article is the first in a series discussing the new rules of managing privacy incident response in 2020, and how to create a privacy program that protects your organization and the people you serve.
Challenge #1: Privacy incident detection and escalation
Data privacy incidents come in many forms, not all of which are readily and easily detectable. These can range from a misdirected fax to fast-evolving malware.
As a result, there can be a significant delay from the time the incident actually occurred to the date the organization discovered it. This delay, on average, is 66 days according to the BakerHostetler 2018 Data Security Incident Response Report.
Another issue is privacy incident escalation. This is the time from discovery to notification. In the BakerHostetler report, this was an average of 38 days. Anonymized incident metadata from the Radar platform reflects a somewhat shorter timeframe of an average of 29 days.
Challenge #2: Complex privacy data breach notification requirements
Data privacy laws are more stringent, specific, and numerous than ever before. The constant shifting of regulations requires constant vigilance to keep abreast of changes.
A 2018 Thomson Reuters report on compliance noted that there is an average of 216 regulatory alerts a day.
In addition to broadening the scope of regulated or personal data, many laws have more specific requirements about notification content and timing. Regulators take noncompliance seriously, both in the United States and internationally. Uber was fined $148 million for waiting a year to notify its drivers that hackers stole their personal information.
Challenge #3: Lack of privacy budget
Privacy budgets have been traditionally low, especially when compared to infosec or IT expenditures. GPPR is changing much of that. The 2018 IAPP-EY report notes:
“organizations have bulked up their privacy teams, tackled the hard work of implementing GDPR programs [and] spent a lot of money to get there (an average of $1.3 million, with an additional $1.8 million expected).”
Compared to 2017, a greater share of privacy spending in 2018 went to outside counsel (up 15% from 11%), and technology and tools have increased from nine to 12%.
Yet 65% of respondents feel their privacy budget is not enough.
Challenge #4: High cost of inefficient privacy program processes
Time spent manually researching laws, conducting risk assessments, and creating board reports could be better spent on higher-value and mission-critical work. Scaling the privacy program to meet growing business needs without adding headcount is difficult.
Inefficiency also breeds subjective decision-making, which leads to noncompliance and the danger of over- or under-reporting. Longer lag times from incident discovery to notification increases the potential risk of fines. In addition, contractual obligations with clients often require shorter notification periods.
As laws change, and as privacy teams compete for limited budget dollars, the challenges of privacy incident response continue to increase.
Organizations need an effective method for detecting, reporting, escalating, assessing risk, and providing notification on the privacy incidents they experience. This requires focusing their incident response process in a way that is:
- Consistent for all incident types
- Scalable to easily meet demand
- Repeatable and defensible to meet burden of proof requirements
Many organizations have successfully met these challenges with Radar to ensure compliance with the latest regulations.
Stay tuned for the next post in this series, which will cover the first challenge in-depth: incident detection and escalation. You can also learn more by downloading the free whitepaper: The 3 Challenges to Efficiency in Privacy Incident Response.