The Thrills and Chills of Privacy Incident Response
Anyone who saw the 2006 James Bond thriller Casino Royale can’t forget the spectacular parkour chase sequence that opened the movie. Daniel Craig makes his entrance as the new Bond with gravity-defying leaps from catwalks, cranes, and moving vehicles. (OK, his stunt double makes gravity-defying leaps, but it’s still spectacular.)
If you think about it, every privacy incident response team navigates obstacles as challenging as any Bond chase.
With short deadlines to comply, ever-changing regulations, and new information about a privacy incident constantly shifting the picture, it’s like doing parkour during an earthquake. And our incident response teams have no stunt doubles!
In our recent webinar, Holly Amorosana, Chief Privacy Officer at Apple Bank and Mahmood Sher-Jan, CEO and Founder of RadarFirst, showed just how challenging and changeable the incident response process can be. Then they walked the audience through some common types of data privacy incidents to show the complex choices that an incident response team has to make.
Pressure to Make the Right Notification Decisions
First, there is the pressure to make the right notification decisions for multiple laws, jurisdictions, and contractual obligations and within timeframes that can be as short as 72 hours. If the incident response team misses a step, the organization can suffer regulatory and financial penalties and reputational damage.
As expert Martin Gomberg pointed out in another recent webinar, there have been more than 100 laws governing privacy and cyber enacted in the U.S. and globally in the last 2 years alone, so keeping up with regulations and new regulator guidance can require the fitness of a Bond stunt double.
Complexity of Assessing an Incident
Next, there’s the complexity of assessing an incident. The reporting system has to be accessible and efficient enough that you can gather the facts quickly.
If it prompts the person doing the reporting for key information, even better. That saves the incident response team some discovery time and helps ensure that notification decisions will be made using a consistent set of information.
But the picture of an incident can shift as more information comes to light, and your process has to allow for that. Preparation is key, as Amarosana points out.
“If you’re on day 25 of a 30-day reporting period and you’re still wrangling the data and figuring out your affected population, can your in-house people or outsourced notification company get those notices out in 3 days? You don’t know unless you’ve tested that operation ahead of time.”
Putting Together an Effective Incident Response Program
Finally, there’s all the work of putting together an effective incident response program. Amarosana and Sher-Jan outline the elements that must be in place before an incident occurs:
- A trained incident response team, with all the needed skills and with clearly defined roles
- Processes and tools to operationalize so your strategy is consistent, objective, defensible, and timely.
Even getting the needed resources can be fraught.
On average, only 10 percent of incidents are notifiable after proper risk assessment and post-incident risk mitigation. And it is critical that each incident is properly risk assessed.
“There’s a danger decision-makers will conclude that if only 10 percent of incidents are notifiable, they can live with that risk and spend less on incident response. You have to help them understand that while most incidents aren’t notifiable, all incidents require response.”
The examples presented in the webinar showcases some of the intricacies of responding to even very common types of incidents.
In one example, a file with personal information is sent to an unknown person because of a typo in an email address. In another, a file containing names and national ID numbers is accidentally shared with an unauthorized business partner. In both cases, the incident response team has to consider many factors: the recipient, the nature of the incident (accidental versus malicious theft), the data protection mechanisms in place, and possible risk mitigation measures. And, of course, they have to consider the laws, breach thresholds, and notification requirements in all the applicable jurisdictions.
Sometimes requirements in one jurisdiction can drive notification decisions in others.
“There’s always a struggle between the different thresholds in the different jurisdictions. You might have a decision that something has to be reported in one jurisdiction but not in another. Then you have to decide whether to do courtesy notifications so that you’re treating customers in different states the same way. But then you also have to ask whether you’re running into the danger of over-reporting.”
In both scenarios, new information also arises late in the decision process—a situation that is also common in real life.
A changing privacy incident picture tests the efficiency of an organization’s incident response process.
“You have to determine whether your decision changes based on the newly discovered info. Do you have to bring everyone back together to reassess the whole situation, or do you have a systematic approach for making that adjustment and rerunning the scenario?”
Fortunately, in both these scenarios, the organizations are using Radar to automate their incident response, so they can add the new information to the existing incident profiles and instantly get revised risk assessments. (Where would James Bond be without his high-tech tools?)
While your incident response team probably runs tabletop exercises instead of parkour, their success still depends on readiness, agility, and the right tools to keep your organization in compliance and out of trouble.
“You need to be agile enough to adapt and handle changes. At the same time, the more systematic and programmatic your approach, the more likely you are to have consistency in your decision-making, and that’s how you defend yourself.”
No stunt doubles needed.
Topics: Incident Response Management