The Compliance Trifecta: Privacy, Security, and Legal
Unless you’re storing grain on a farm, I think we can all agree that silos are bad, and that collaborative efforts are good. So why do silos continue to plague the business world?
Discrete organizational functions often find themselves in silos due to poor alignment and communication channels. The hazards of these departmental divisions become even more clear if you think about incident response. When you are assessing an incident to determine if it is a data breach, time is of the essence. The risk of incident response ownership and poor communications could mean fumbled handoffs, doing redundant work or even worse – letting incidents fall through the cracks, thinking the other department is handling the situation, or missing incidents altogether. That’s why incident response is a particularly fraught business process when it comes to organizational structure and poor inter-departmental coordination. How privacy, security, and legal departments converge and collaborate to protect data and ensure regulatory compliance could mean the difference between a strong culture of compliance and a data breach disaster.
What can privacy, security, and legal teams do to build an effective incident response program that is consistent and is developed as a collaborative effort between their respective teams? Below are a few places to start.
Know Your Org Chart
If you were to ask a room of privacy professionals to compare their organizational charts – where the privacy program lives within the organization, who the privacy lead reports to, and the interdependencies or nesting of the privacy department compared with security or legal departments – you would probably get as many different answers as there were people in the room. This is because each organization has its own unique culture and structure, and growing businesses tend to evolve their organizational structure to best fit their changing risks and needs, while accomplishing their business goals.
What is the most common structure for these interdependent departments? It depends. In the 2017 IAPP-EY Governance Report, privacy positions were most likely to be found within the legal or compliance department, according to 72% of respondents. When it comes to reporting structure, 41% of respondents said the privacy lead was equal to the CISO in the corporate hierarchy, and are most likely to report to General Counsel or the CEO/Executive committee in the reporting structure. These results seem to confirm that privacy is a growing concern within organizations, and that privacy responsibilities are taken seriously throughout the organization. There’s even a growing chorus of voices that promote the need for combining the roles of chief security and privacy officers to optimize alignment and to give privacy a more prominent role as a business risk and opportunity.
It’s no wonder, considering this inherent complexity, that only 21% of CISOs responding to the ServiceNow Global CISO Study are confident security employees understand the organization’s structure, functions, and interdependencies.
The value in knowing your organization’s reporting structure is that it gives you insights into where cooperation can be cultivated, as well as the division of priorities and budgets.
Remember Your Shared Goals
Compliance is about establishing trust with customers, partners, and regulators. It is a responsibility that no one department can take on alone, and privacy, security, and legal roles do not have mutually exclusive areas of influence or responsibility. The shared burden of incident response falls between security, privacy, and legal departments, and each department will approach the task of incident response and establishing strong privacy practices from a different perspective, with different contextual motivations that are informed by their respective departmental goals. In a recent study examining who gets the blame when a data breach occurs, 21% of IT decision-makers would most likely blame a data breach on the CISO. A greater portion believed the CEO or the company’s board should take primary responsibility.
Part of building a more collaborative atmosphere starts with understanding one another’s roles and main motivations. A security professional may approach privacy from a tactical standpoint, safeguarding data and ensuring systems that help to prevent – or mitigate – improper disclosures. Privacy teams can focus more on the personal impacts of incident response – how the disclosure relates to people and the risk of harm to the impacted individual, and what regulatory requirements may result based on that determination. Legal teams are integral in both understanding the regulatory landscape, but also in setting company policies and ensuring business practices, such as third-party vendor agreements or business associate agreements – are buttoned up and in place.
Each of these perspectives together round out a full view of regulatory compliance. Understanding legal risks, implementing privacy policies and procedures, safeguarding data and applying the appropriate controls for that data – each are critical aspects of a strong privacy program.
Once you understand each player’s part in the game, remember your shared goal in incident response is to not only to comply with data breach notification laws, but also to protect affected individuals from harm if their sensitive information has been disclosed.
Invest in Collaborative Systems and Processes
The 2018 BakerHostetler Data Security Incident Response Report shows a somewhat bleak average incident response timeline, from the day the event took place to notification being provided:
- Occurrence to discovery: 66 days
- Discovery to containment: 3 days
- Discovery to notification: 38 days
The timeline above also runs alongside the activities taken to engage with a forensics team and perform an analysis, which on average lasted for 36 days. This timeframe is troubling for a couple reasons. First, data breach notification timeline requirements are getting more and more abbreviated – in some US states you may have as few as 30 days, and in the case of the EU GDPR, you have 72 hours to notify your lead supervisory authority. Delays at each step of the incident response process could mean missing regulatory compliance deadlines.
The second reason these stats are troubling is because they are indicative of a lack of coordinated systems. Organizations need an automated way to respond to privacy and security incidents, one that allows all employees and customers to efficiently report incidents, and for the incident response team to efficiently and consistently perform risk assessment, make a breach or no breach determination, and provide dashboards and real-time reporting for organization-wide visibility.
To truly succeed in their joint mission to protect data, privacy, security, and legal teams need a purpose-built incident response and decision-support system that can easily support the organization’s culture of compliance and processes, is always up to date with the latest jurisdictional requirements, and provides the insights needed for organizations to fully manage incident-related risk.