Last week I attended the IAPP Practical Privacy Series in Washington, DC. This series features intensive educational sessions designed to arm those in the privacy field with the up-to-the-minute knowledge needed to excel on the job. My fellow attendees were privacy officers and others who were well versed in privacy issues – many interesting conversations were started in the hallways between sessions and during meals.
The data breach track was a popular area of focus this year, and “how-to-prepare” was a leading topic for many of the panels. Professionals in the field – and certainly those at the conference last week – are well aware of the hazards involved in poor incident response, but it was helpful to hear the panelists focus on what teams should do proactively, before an incident ever occurs.
Below are five key tips for incident response readiness that surfaced during last week’s sessions.
Tip #1: Spend money to save money – push to give privacy its own budget
A couple sessions at the event hit on the topic of finding budget for Privacy. Scott Lashway, Partner, Litigation and Dispute Resolution at Holland & Knight and Christopher Pierson, EVP, General Counsel, and Chief Security Officer at Viewpost discussed the intersection of privacy and security programs, and how their goals align or diverge. There is a push for privacy teams to be in charge of their own budgets within organizations (as opposed to reporting to security) because there are a number of potential conflicts of resources and interests. Consider:
- The 2016 Cost of Data Breach Study found the average consolidated total cost of a data breach grew from $3.8 million to $4 million this year. This is the cost of a single data breach, with additional losses associated with brand and reputational harm. In light of the real cost of non-compliance, making a relatively small investment in preventative measures, including staff hours, systems, and incident response preparedness tools, may well be worth the price tag.
- Under GDPR, companies will run the risk of fines that could reach 4% of global annual revenue for an entire conglomerate. The planning and systems that must be implemented to meet a May 2018 go-live deadline will require a significant investment.
- WIth the prevalence of data breach coverage in the media today, having a well-funded privacy team can be a market differentiator. For instance, Electronic Arts, maker of some of my favorite computer games, sent their entire team to attend IAPP PPS, indicating the value they place on gamers’ privacy.
Tip #2: Identify your core and extended team - NOW
Identifying your team before an event occurs will help keep the process moving forward, and allows for a team to be familiar with each other and the rigors of the multi-factor risk analysis process. Hillary Wandall of TRUSTe had some good points about what a privacy manager can do for her organization, acting as a counselor to find creative ways to improve compliance that dovetail with other objectives and existing processes, creating a program that is ongoing and sustainable, and using the privacy program to maximize the net value of data to the organization.
Bonus Tool: Access a worksheet to help develop your core and extended incident response teams in the recent blog post, It Takes a Village: Building Your Incident Response Team.
Tip #3: Build a response plan before you need it
Several segments touched on the necessity of Incident Response Plans (IRPs) and their importance in meeting breach notification deadlines. In the session “During: The First 72 Hours” with Seth Harrington, Partner at Ropes & Gray, and Brian Lapidus, Managing Director, Identity Theft and Breach Notification at Kroll it was emphasized that having an IRP clearly defined, practiced, and communicated to internal and external teammates is essential to responding accurately in the face of a 72-hour breach response timeline. Harrington and Lapidus also identified what organizations should not do within that timeframe, including panic or try to come up with an IRP on the fly.
Tip #4: Know the difference between an event, incident, and data breach
In the same session on breach response preparedness, Lapidus and Harrington identified the dangers in lax use of the word “breach” (aka the “b” word). Because of the potential conclusory meaning of the word, use of the term “breach” before an actual breach determination has been made can cause those involved in the investigation to panic, overreact, or otherwise influence their investigation. It can also create an inaccurate record if employees use the word internally before that conclusion has been reached. It is imperative to remain objective and thorough throughout an investigation. Until you know for certain otherwise, don’t call an event or an incident a breach. Check out this post to learn more about the difference between an event, an incident, and a data breach.
Tip #5: Don’t forget about your contractual obligations
Another key aspect in getting your company ready for an incident is setting up vendors and buttoning up contracts and business associate agreements so you are aware of both your resources in helping respond to a potential breach, as well as your contractual obligations to report to BAs and Third Party Vendors if your data has been compromised. The cost of noncompliance when it comes to vendor contracts and business associates are real. Consider these two examples from the OCR “Wall of Shame:”
- In March of 2016, North Memorial Health Care of Minnesota was fined $1.55 million for potential violations of the HIPAA Privacy and Security Rules. The health care organization did not have a business associate agreement in place with a contractor, nor did it perform an organization-wide risk analysis to address threats to patient information.
- In April 2016, Raleigh Orthopedic Clinic in North Carolina agreed to pay $750,000for a potential violation of the Privacy Rule. The clinic gave X-ray films and related protected health information (PHI) of more than 17,000 patients to a potential business partner without first signing a business associate agreement.
Manage client notifications and stay compliant with contractual obligations.
The Contractual Obligations Workflow seamlessly extends RADAR’s regulatory workflow for clients by treating them as contractual jurisdictions. Take advantage of existing functionality for state and federal jurisdictions and easily manage contractual notifications even for complex incidents involving multiple clients and timelines.