Privacy and information security often live in their own silos, an impractical separation that puts both an organization and its customers at risk from a data breach. This risk occurs when a security incident—say, a malware attack that exposes customer information—is remediated without undergoing a proper risk assessment to determine if it is a reportable breach.
Even if the malware is removed, the customer data is still out there, possibly in the hands of criminals who may sell or misuse it. Without a proper risk assessment to determine if the incident is a data breach requiring notification, your organization could face regulatory sanctions, fines, and reputational damage—classic data breach risks. You may be wondering:
- Do I have a process for conducting a risk assessment for each incident against all applicable federal and state breach laws?
- Does my process for managing security incidents stand up to the legal litmus test of being repeatable and consistent—a regulatory requirement for many industries?
- Do I consider the legal definition of “data breach” as per state and federal regulations when I assess an incident?
- Would this process withstand a regulatory investigation?
In order to answer yes to these questions and effectively mitigate breach risks, you must break down the silos between privacy and security. Only then can you make breach determination a cooperative effort.
Start with Security
Once an event is discovered, the details are normally captured and evaluated by the information security team to determine if it poses an adverse affect—that is, if the event should be up-leveled to a security incident–see our recent blog post on this topic. This includes completing a root-cause analysis, performing remediation, and then documenting the facts of the event, such as:
- The source of the event;
- The level and risk of exposure;
- The nature of the personal data potentially exposed, and whether any protections (such as encryption) were in place;
- The number of potentially impacted individuals;
- Remediation steps taken to contain the incident and limit exposure risks;
- Is the event ongoing or static;
- Malicious/non-malicious intent.
If information security determines the event is indeed a security incident, then it must undergo a risk assessment to see if it’s a data breach that requires notification. That’s where privacy comes in.
Event: Any observable occurrence in a system or network (definition from NIST).
Incident: Any Event that violates an organizations security or privacy policies involving sensitive information.
Breach: Any Incident that meets specific legal definition per state or federal breach laws and requires notice to affected individuals.
Privacy Takes Over
The security team provides valuable information about an incident that requires analysis by the privacy or compliance team. This analysis comes in the form of a multi-factor risk assessment, and requires such information as:
- The nature and severity of the incident;
- The type and sensitivity of the regulated data that was impacted;
- Remediation steps that may lower the risks of data disclosure or acquisition;
- Whether the incident qualifies for any exemptions, such as if the data was encrypted;
Only with extensive and consistent input from information security can the privacy or compliance team assess the facts of the incident against applicable state and federal laws and decide if the incident is actually a breach. Using incomplete or inaccurate information about a security incident for the risk assessment can lead to an incorrect breach determination and response that puts an organization at risk for regulatory action and reputational damage. Clearly, information security’s role in incident risk assessment can help make the difference between good and bad business decisions.
Privacy and Security: Better Together
Fostering cooperation where separation used to exist is difficult. Privacy and security teams have their own priorities and budgets, which may viewed as competitive rather than cooperative. But, as we’ve said, it’s this limited perspective that increases data breach risks.
To encourage privacy and security to work together, organizations must simplify their approach to managing incident response. That means automating the different phases of incident response management—especially the risk assessment—allowing both privacy and security to play their role in protecting customer information against the growing threats of data breaches.
Learn more about how privacy and security can work together with the free whitepaper, Incident Response Management Software: The CISO’s Secret Weapon for Reducing Enterprise Risk.