RADAR Blog

In my line of work, I’m afforded the opportunity to talk to privacy professionals on a daily basis. What always strikes me when I consider the daily life of a privacy pro is the challenges inherent in the work. Assessing, mitigating, and providing notification for data breaches is a large and often stressful part of the job. Beyond that critical work, however, is a long laundry list of complex, routine, and equally important privacy tasks.

The California Consumer Privacy Act (CCPA) is a first in U.S. state law, having captured the attention of privacy professionals across the country. Similar to the GDPR in many regards, this regulation will require organizations to reexamine the ways data is collected, used, and protected.

This week marks a milestone in the accelerated growth of RADAR as we open the doors to our new and expansive headquarters in downtown Portland, Oregon. This office move - though only a few blocks down the road from our former office - is a signifier of the growth our organization has gone through over the last few years, which kicked into hyper growth since becoming a part of the Vista Equity Partners’ portfolio. From the initial spark of an idea in 2009 that would develop into RADAR and ultimately becoming an independent well funded company in 2016, to the investment from Vista Equity Partners in November 2018, the product and company have seen tremendous advancements. Our commitment to innovation and our mission to establish the industry standard for a unified, global incident response management platform means that we aren’t slowing down any time soon.

Another month over, and privacy concerns continue to find their way into the headlines. Privacy as a fundamental right, and data protection as a concept, have entered public awareness for good, and we see that reflected in the major news coverage of our profession, well beyond industry publications. The public is gaining a more sophisticated understanding of privacy protection measures, and getting savvy about identifying the organizations that can - or cannot - be entrusted with their data.

For the past year, the privacy and security world has kept a laser-like focus on the European Union’s General Data Protection Regulation (GDPR). And what a year it’s been. More than 59,000 personal data breaches were reported across Europe from the enforcement date of GDPR on May 25, 2018, to International Data Protection Day on January 28, 2019.

My work with RADAR has afforded me the opportunity to attend a number of privacy events in the past few years. Just this week I had the pleasure of attending the American Bankers Association RIsk Management Conference in Austin. This event, which covered a wide range of risk concerns for banking professionals, surfaced many conversations about breach notification requirements and the challenges facing privacy professionals.

In my role at RADAR, I have the distinct pleasure of working directly with our customers, learning about the challenges they face and the success they find in building a strong culture of compliance within their organizations.

Privacy and security incidents that expose sensitive customer data happen all the time, and when they do, you have to act quickly and strategically. The right technology for managing your incident response process is crucial to protecting your customers and your organization against breach risks.

Last week, myself and members of the RADAR team were able to attend the IAPP CCPA Comprehensive in Fremont, California. This day-long program focused on the California Consumer Privacy Act (CCPA), with a special focus on the act’s scope, definitions, General Data Protection Regulation (GDPR) inspiration, and areas for further clarification.

As privacy grows in importance, so does the need for effective incident response management. Ideally, this includes consistent processes, well-established policies and procedures, collaboration across departments, and proof of compliance. The reality is often a lot different—and a lot more chaotic.

The recent webinar Anatomy of A Privacy Incident: Data Breach Response and Investigation Best Practices dove into the best practices for designing an incident response program that encourages an organization-wide culture of compliance. Panelists Andrew Reeder from Rush University Medical Center and Asra Ali from Healthscape Advisors lead a lively discussion into the ins and outs of compliance programs, covering topics ranging from common presumptions and best practices for managing the phases of incident response within an organization. 

“There is only one amount of money—just not enough,” author Andrew Kaufman once wrote. Many departments in an organization feel the financial pinch, especially privacy teams, who face the challenge of completing herculean tasks on a small budget. Privacy budgets tend to be microscopic compared to those of security or IT/infosec teams. Thus, critical privacy activities such as incident response often get lower budgetary priority than new cybersecurity initiatives—and when that happens, the entire organization is at risk.

Today’s world is built for speed. Want a ride? Get an Uber or Lyft at your door in 10 minutes. Want your food faster? Use Grubhub and order ahead. Have a data breach requiring notification? Work quickly, because you may only have 72 hours to provide notification to individuals and regulatory authorities, depending on the jurisdiction.

In 2018, less than 10 percent of data privacy or security incidents were breaches requiring notification. Yet it wouldn’t be surprising if that percentage starts to increase. One of the key factors in breach determination is the nature of the personal information exposed. Last year, we saw a significant expansion in the definition of personal information across multiple laws.

This article is part of an ongoing series on privacy program metrics and benchmarking for incident response management, brought to you by RADAR, a provider of purpose-built decision-support software designed to guide users through a consistent, defensible process for incident management and risk assessment. Find earlier installments of this series here. 

Once an incident has been discovered, the clock starts ticking. Privacy officers and their teams must immediately investigate the incident, perform a multi-factor risk assessment according to all applicable jurisdictions to determine if the incident rises to the level of a data breach, and notify affected individuals, regulators, and authorities — often within a very short time frame. It can be a daunting task, compounded by the need to keep up with an ever-changing patchwork of data breach regulations, both enacted and proposed, each with their own unique requirements.