The Compliance Trifecta: Privacy, Security, and Legal
In this blog, we’ll cover how to build a collaborative incident response process. But first, we need to address workplace silos.
Unless you’re storing grain on a farm, I think we can all agree that silos are bad, and that collaborative efforts are good. So why do silos continue to plague the business world?
Discrete organizational functions often find themselves in silos due to poor alignment, privacy team structure, and communication channels. The hazards of these departmental divisions become even more clear if you think about incident management. When you are assessing an incident to determine if it is a data breach, time is of the essence.
The risk of incident response ownership and poor communications could mean fumbled handoffs, doing redundant work or even worse – letting incidents fall through the cracks, thinking the other department is handling the situation, or missing incidents altogether. That’s why incident response is a particularly fraught business process when it comes to organizational structure and poor inter-departmental coordination.
How privacy, security, and legal departments converge and collaborate to protect data and ensure regulatory compliance could mean the difference between a strong culture of compliance and a data breach disaster.
Building a Collaborative Incident Response Process Starts with Knowing Your Org Chart
If you were to ask a room of privacy professionals to compare their organizational charts – where the privacy program lives within the organization, who the privacy lead reports to, and the interdependencies or nesting of the privacy department compared with security or legal departments – you would probably get as many different answers as there were people in the room. This is because each organization has its own unique culture and structure, and growing businesses tend to evolve their organizational structure to best fit their changing risks and needs, while accomplishing their business goals.
What is the most common structure for these interdependent departments? It depends. In the 2021 IAPP-EY Governance Report, privacy positions were most likely to be found within the legal department, according to 57% of respondents. When it comes to reporting structure, 48% of respondents said the privacy lead was equal to the CISO in the corporate hierarchy, and are most likely to report to General Counsel or the CEO in the reporting structure. These results seem to confirm that privacy is a growing concern within organizations, and that privacy responsibilities are taken seriously throughout the organization. There’s even a growing chorus of voices that promote the need for combining the roles of chief security and privacy officers to optimize alignment and to give privacy a more prominent role as a business risk and opportunity.
It’s no wonder, considering this inherent complexity, that security employees struggle with understanding the organization’s structure, functions, and interdependencies.
The value in knowing your organization’s reporting structure is that it gives you insights into where cooperation can be cultivated, as well as the division of priorities and budgets.
Identify Shared Goals and Work Together to Achieve Them
Compliance is about establishing trust with customers, partners, and regulators. It is a responsibility that no one department can take on alone, and privacy, security, and legal roles do not have mutually exclusive areas of influence or responsibility. The shared burden of incident management falls between security, privacy, and legal departments, and each department will approach the task of incident response and establishing strong privacy practices from a different perspective, with different contextual motivations that are informed by their respective departmental goals. In a study conducted in 2020 examining who received the blame when a data breach occurs, 21% of IT decision-makers were most likely to blame a data breach on the CISO.
A greater portion believed the CEO or the company’s board should take accountability as they are responsible for company priorities and building a roadmap for technological innovation. Just look at any of the largest cyber-attacks in the past decade – CEOs either resigned or were replaced.
Once you understand each player’s part in the game, remember your shared goal in incident response is to not only to comply with data breach notification laws, but also to protect affected individuals from harm if their sensitive information has been disclosed.
Part of building a more collaborative atmosphere starts with understanding one another’s roles and main motivations. A security professional may approach privacy from a tactical standpoint, safeguarding data and ensuring systems that help to prevent – or mitigate – improper disclosures. Privacy teams can focus more on the personal impacts of incident response – how the disclosure relates to people and the risk of harm to the impacted individual, and what regulatory requirements may result based on that determination. Legal teams are integral in both understanding the regulatory landscape, but also in setting company policies and ensuring business practices, such as third-party vendor agreements or business associate agreements – are buttoned up and in place.
Each of these perspectives together round out a full view of regulatory compliance. Understanding legal risks, implementing privacy policies and procedures, safeguarding data and applying the appropriate controls for that data – each are critical aspects of a strong privacy program.
Invest in Systems and Processes That Enable a Collaborative Incident Response Process
In 2022, the average time to identify a breach is 207 days, and the average time to contain it is 70 days; totaling a 277 day breach lifecycle – a drop of 10 days compared to 2021 data.
This timeframe is troubling for a couple reasons. First, data breach notification timeline requirements are getting more and more abbreviated – in some US states you may have as few as 30 days, and in the case of the EU GDPR, you have 72 hours to notify your lead supervisory authority. Delays at each step of the incident management lifecycle could mean missing regulatory compliance deadlines.
The second reason these stats are troubling is because they are indicative of a lack of coordinated systems. Organizations need an automated way to respond to privacy and security incidents, one that allows all employees and customers to efficiently report incidents, and for the incident response team to efficiently and consistently perform risk assessment, make a breach or no breach determination, and provide dashboards and real-time reporting for organization-wide visibility.
To truly succeed in their joint mission to protect data, privacy, security, and legal teams need a purpose-built incident management and decision-support system that can easily support the organization’s culture of compliance and audit-friendly process steps, is always up to date with the latest jurisdictional requirements, and provides the insights needed for organizations to fully manage incident-related risk.