In July Gartner published its new Hype Cycle for Privacy, which provides a snapshot of various technology capabilities and categories, their relative market trajectory over time, and forecasts for future adoption. A new category that emerged in the 2018 report is Data Breach Response, whose debut underscores the emergence of a broader awareness of this critical capability for enterprises that collect and process personal data.
Understanding the recent Gartner report on Privacy technologies requires understanding the model of the Hype Cycle. The Hype Cycle format breaks down the development, adoption, and market penetration of emerging technology into five stages, from the initial technology breakthrough and growing interest or expectations of the technology, to a “plateau of productivity” or what would be considered mainstream adoption and acceptance. Hype cycles are used by organizations to evaluate emerging technologies and their forecast for a particular market.
Data Breach Response is listed on the Hype Cycle for Privacy continuum as “On the Rise” in the 2018 report. When a technology capability is 'On the Rise' it means that it is rapidly gaining traction and adoption. The Data Breach Response category is also listed as having a High benefit rating, which according to Gartner means the technologies associated with this category “enable new ways of performing horizontal or vertical processes that will result in significantly increased revenue or cost savings for an enterprise.”
There have been other signals that data breach response is a growing field. In a world where gathering sensitive, personal data has become a critical part of doing business – and a growing threat vector at the same time – data breach response platforms that provide purpose-built automation and efficiency can greatly benefit organizations.
The IAPP and TrustArc recently released the survey results of their study, How Privacy Tech is Bought and Deployed. This study breaks down privacy solutions into 10 categories. The Privacy Program Management* category, which encompasses solutions designed specifically for the privacy office, includes incident response solutions that “help companies respond to a data breach by providing the relevant information of what was compromised and what notification obligations must be met.” The results of the survey indicate that this type of software has grown significantly, “considering it was essentially unknown as a product as recently as 5 years ago.” It’s also interesting to note that 65% of respondents indicated that budget for this category of tools resides in the privacy office (a departure from budgets that were previously controlled by IT and Infosecurity). This shift also aligns with company size - the larger the company, the more budget power privacy teams have.
*Disclaimer: RADAR is listed in the IAPP Tech Privacy Vendor Report under this category.
Another marker of the positive business impact these solutions can provide is their potential to contain the growing cost of data breaches. The annual Cost of a Data Breach Study from the Ponemon Institute released July 2018 found that the faster a data breach can be identified and contained, the lower the cost to the organization. Considering that the average total cost of a data breach in this global study was $3.86M, this could be a significant way to reduce costs and mitigate risk of over reporting or missing notification deadlines. Using technology solutions for data breach response that bring automation to the process enable companies to efficiently and consistently manage these incidents and improve outcomes.
Thomson Reuters Regulatory Intelligence also produces an annual report detailing the results of a cost of compliance survey among firms across the globe. When compliance professionals were asked to list the greatest challenges facing their work, the top answers were around identifying, managing, and coping with regulatory changes (specifically calling out the complexity posed by the EU GDPR). In terms of investment and budget in privacy and compliance programs, 61% of firms are increasing their total compliance budget, which is up from 53% last year. The results of this survey indicated that coping with regulatory changes, and finding solutions to help manage this challenge and meet the mounting pressure, are top concerns for companies working towards a strong culture of compliance.
These studies clearly indicate that privacy and security incident response is a growing sector, and that effective automation to help mitigate the growing risks is well worth the business value.
What is Driving the Growth of Data Breach Response?
The growing prominence of data breach response as a mission-critical technology and the growing public awareness could be attributed to myriad business drivers and risks.
To begin with, we process more data than ever before, as a matter of our daily business practices. We are also inventing every day new ways to collect data – through smart homes, through social media, through connected devices, etc. Couple this with the ever-increasing cost of a data breach (up 4.8% this year compared to last), and the cost of poor privacy practices and the potential for harm to your customers, your business, and your reputation is great. There has also been a slew of high-visibility, widely publicized data breaches in recent years. The public is increasingly aware of these infractions - and even more so the companies that have misused or failed to properly protect their data. The threat of reputational damage, loss of customer trust, and regulatory actions have very serious business implications.
Speaking of regulatory actions, the legal landscape for data breach response and compliance has also grown in stringency and in complexity. There are new data breach notification laws cropping up - just this last year in the U.S. we saw all 50 states enact a law specifically addressing this issue. The EU GDPR, which went into effect May 25, 2018, posed significant challenges for multinational organizations, especially given the restrictive timeline for notification to supervisory authorities (72 hours after having become aware) and the potential fines associated with noncompliance. Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) is going into effect in November of this year. These laws continue to evolve and shift as enforcement actions and further-issued guidance continues to shape our regulatory burden as privacy professionals.
Technology Addresses Key Areas to Improve Data Breach Response
Harnessing the power of automation and purpose-built technology for data breach response often means replacing outdated, incomplete, or manual processes. The cost of inefficient, inconsistent data breach response cannot be overstated - you risk noncompliance, over or under reporting, and harm to the customers whose data you are entrusted to protect. By replacing inefficient and broken processes with purpose-built and scalable automation, privacy professionals can reduce inconsistent and subjective incident response results, accelerate their response times, and allow teams to collaborate and still have time for other key privacy initiatives such as training, and setting and enforcing policies. Below are just a few key areas technology can benefit the work and output of a privacy team:
- Streamline incident intake and escalation
- Enable their program to scale to meet growing business needs
- Easily provide reporting and metrics to executive and board-level stakeholders
- Reduce overall risk with consistency
- Ensure breach decisions are made based on the most current, up-to-date breach notification laws
This is the definition of working smarter, not harder - and it’s exciting to see the industry recognize this area for growth in the privacy field.