The Past Holds the Key to Future Privacy Incident Response
Like the two-faced Roman god Janus, privacy professionals must always be watching the past and the future.
While we’re dealing with the incident of the moment, we also need to anticipate future risks, continuously improve our programs, and ensure that we’ll have the budget and resources we need.
And the key to all three lies in the past: analysis and reporting of incident data.
Ideally, analysis should be both the first and the last phase of the privacy incident response process, using insights from the investigation, risk assessment, decision-making, and notification phases of past incidents to better prepare for the next time round.
Analysis was the topic of a recent RadarFirst webinar, Privacy Incident Response 301: Proving the ROI, presented by Christian Brennholt, Deputy CPO of The Coca-Cola Company, and RadarFirst CEO and Founder, Mahmood Sher-Jan.
Through RadarFirst industry benchmarks and Brennholt’s first-hand experience maintaining compliance in more than 200 countries worldwide, the two showed the many ways that analysis and reporting can improve the health and visibility of privacy programs.
Data is the Foundation
Having good data is the first prerequisite for good analysis.
As Sher-Jan explains, you need a privacy incident response process and tools that automatically capture incident data and store it in a centrally accessible place.
“If you have to go looking for data, you’re not going to have a complete picture or have the resources to do regular, thorough reporting. It has been said, that ‘if you cannot measure, you cannot improve.’ That’s really a fundamental concept.”
Brennholt says a central repository is also critical to compliance:
“For a multi-national corporation like Coca-Cola, we need to have the information at hand, even if it’s an incident that happened in India or somewhere in Africa. We don’t want to have to reach out to all our offices during an audit and say, ‘Tell us about what incidents you’ve had.’ It’s vital to have the information at hand and the ability to immediately analyze it.”
You also need real-time reporting and data visualization capabilities to help you identify emerging trends and enable a proactive approach to incident response management.
Best Practices for Reporting
Once you have automated and centralized privacy incident data capture, you need to decide how best to take advantage of the information. You can use analysis and reporting to prove ROI for your privacy programs, to track trends and emerging risks and to identify and improve key performance indicators (KPIs).
To begin, decide what metrics you will report on.
Among the most important, according to Sher-Jan and Brennholt, are:
- Root causes of incidents, because that helps you understand where you need to take action
- Trends in employee behavior or external behavior, and whether the behavior has changed
- Whether the causes of incidents are internal or external to the organization
- Your internal escalation timeline
- What audience(s) do you want to report to? To executives, the privacy and infosec teams, and/or stakeholders throughout the organization?
- What information do they need? For example, the data security team will want root cause trends to identify potential data security gaps, while the executive team will be more interested in ROI.
- In what format do you want to present the information?
- What should be your frequency for analysis and reporting?
Whether you’re reporting to the privacy team or the executive team, use metrics to reach insights and conclusions, and make recommendations based on what you find. Brennholt also notes that reports should be archived in case of future regulatory audits. “They can come and investigate on an incident that you had reported, and that can come years after you thought the incident was closed.
You’ll be OK if you have all the information about prior incidents already at hand.” Sher-Jan adds: “We’ve heard from many clients who’ve gone through the audit process. The auditors are looking not only for consistency, but also for proof, and it was invaluable having an automated platform that can pull the information together in minutes rather than spending days or weeks.”
Comparing Your Program to the Industry
Finally, producing metrics can tell you where your privacy program stands, relative to the industry, in each phase of the incident lifecycle. Sher-Jan explains that “that’s been difficult for the industry because the data does not exist except for statistics on breaches, which are really the tip of the iceberg.”
But RadarFirst, with its breach response framework, has been in a unique position to aggregate metadata around hundreds of thousands of privacy incidents of all kinds.
Just a few of the insights from the last two years:
- Electronic incidents are growing vs paper, but paper-based incidents still account for a third
- Less than 2% of incidents are intentional and malicious. The rest are non-malicious and mostly inadvertent.
Brennholt says, “It might not even be that the employee did anything wrong. Sometimes it’s just that strong processes aren’t in place. For example, an employee might leave the company without warning because of a family or other situation, but not return their laptop for a couple of weeks.”
Sher-Jan says many people ask what is a reasonable reporting/notification rate for incidents.
Across industries, RadarFirst customers find that 6–7% of incidents are notifiable when a compliant multi-factor risk assessment is consistently performed and sufficient risk mitigation measures have been taken to reduce harm.
The vast majority of incidents have internal (and non-malicious) causes, and from 2018 through 2019, the rate of externally caused incidents dropped from 7% to 3%.
Average time from incident occurrence to notification among RadarFirst customers decreased from just over 45 days to about 44 days. (According to the 2019 Baker-Hostetler report, the industry average overall is 122 days from occurrence to notification.)
Acting on Insight
Janus was the god of transitions, and for good reason. While we can’t change the past, we can learn its lessons and take action to change the future.
Brennholt cites a success story at Coca-Cola:
“We all receive phishing emails, and some of them look very real. We found out through analysis that our company was above the average in the number of people falling for phishing scams. So, we started a program where we sent out phishing emails, and if people clicked on them, they were connected to an anti-phishing training. The initiative brought down the click rate substantially, but, more importantly, it brought down the rate of people giving up credentials to a very, very low number. Without the analysis, we would have supplied general training and just hoped that it was working. But with the analysis, we were able to take this very specific approach of connecting people to training designed just for them.”
Insight leads to action; the past informs the future.
You can learn more about analysis and metrics by viewing the webinar, and if your IR program is regularly analyzing incident data, producing actionable insights, and taking action to improve, you’re already on the road to success.
You May Also be Interested In: