In 2020 the Verizon Data Breach Investigations Report analyzed a whopping 157,525 incidents globally, including 108,069 breaches. Cross-referencing these findings with the 2020 Baker Hostetler Report, we see that on average, the process for an organization to move from the discovery of an incident to notification took 38 days per incident.
As the likelihood of incidents will increase in years to come and that privacy officers are facing increased demands of their time and resources, having an incident response process that is efficient, consistent, and defensible is more invaluable than ever. Privacy professionals who are working against competing organizational priorities and inefficient processes must make the case to rise above tedious, manual risk assessments and usher in the age of incident response automation.
Risk Assessment Timelines
When properly performed, risk assessments help your organization understand the scope of a privacy incident and provide critical information for next steps – and they’re required by law. However, getting the information you need often means engaging in repetitive, manual actions like reviewing individual incident profile details against varying jurisdictional requirements in an attempt to piece together the organization’s obligations.
When done poorly, this process bottlenecks incident response teams and creates undue pressure on privacy officers.
In light of the eventuality of a privacy incident or data breach, what separates successful organizations from the pack is efficiency and consistency in risk assessment. With a thorough risk of harm assessment based on up-to-date privacy regulations, stakeholders are equipped with the necessary information to make a confident notification decision.
In an interview with Lisa Copp, the associate general counsel and chief privacy officer at CNO Financial Group, we explored why incident risk assessment requires heightened scrutiny:
“All of us have dealt with incidents… They’re so fact-sensitive. You can’t just say you have this type or that type. Even with something that looks very cut and dried, the facts are so nuanced. The next phases are all going to build on that initial investigation. How will I assess this? What will the decisions be? What is the risk to the organization?”
It’s not small work. Proper assessment includes evaluation of:
- Varying definitions of what constitutes a breach
- What qualifies as personally identifiable information
- A myriad of competing regulations
Each of which impacts organizational obligations in the event of a breach. However, a completed assessment is only the prerequisite for decision making regarding a privacy incident, and again, on average the time from discovery to notification takes 38 days when using manual processes.
The case for privacy incident response consistency argues that while risk assessment is complex and will require increasingly more attention from privacy teams, it only represents one stage of an organization’s incident response process. By automating risk assessment and notification guidance, privacy officers can circumvent hours of compliance regulation research and remove subjectivity from their decision-making.
Through a consistent and repeatable process to reach notification decisions, privacy professionals get standardized assessment criteria and with a set methodology, dependable reporting, and standardized analysis workflows, which leaves more time to make decisions about notification.
Naturally, repeating this process without automation puts a lot of pressure on operations.
In 2020, the FBI documented almost 4,000 cyber attack-related complaints per day. Simultaneously, Microsoft reported attempted phishing or social engineering attacks jumped to almost 30,000 per day, in the United States.
With a shifting landscape of cybersecurity threats occurring on top of the ever-present risk of human error, security teams have a lot on their plate and the burnout felt by team members can take a huge toll on operations and employee turnover.
With the help of automated risk assessments and notification guidance reducing subjectivity and streamlining operations, privacy and compliance teams are able to reduce the time from incident discovery to close.
With shorter timelines, automation helps reduce stress for incident response teams’ day-to-day responsibilities.
Additionally, due to the consistency and repeatability of an automated risk assessment process, incident response teams are armed with the confidence to make notification decisions quickly. With the same automated process, you reduce the stress of uncertainty and ensure your team can provide a defensible course of action for every notification decision complete with a reliable source of documentation for how they arrived at each decision.
From an executive perspective, the efficiency that automation provides allows both privacy and security departments to reduce workloads on their teams and stay ahead of breach notification timelines.
Stay Profitable with Consistent, Defensible Risk Assessment
For many organizations, the biggest privacy challenge is keeping up with and applying relevant laws and regulations to incidents that involve multiple jurisdictions.
After all, a single incident can involve multiple state or international statutes that each have unique stipulations regarding who needs to be notified when they need to be notified, and what the organization’s responsibilities are concerning the information involved in the breach.
As discussed, this caseload is no small task for privacy officers to research and assess on top of their full workloads.
Common inhibitors to successful assessment include:
- Human error during risk assessment
- Inefficient workflows overloaded with mundane tasks
- Inability to manage complexity at scale
All of which compound to increase costs in the form of wasted time, potential violation of notification requirements, and under- or over-notifying. Given the number of incidents that require assessment per year, having a consistent, automated process to assess risk is a no-brainer.
Radar metadata revealed in the Benchmarking Privacy Incidents 2020 Report, organizations using best practices and automation to operationalize incident response completed the process from discovery to notification in 26 days (as compared to 38 days for organizations without automation in this process).
That’s 12 fewer days invested on investigation per incident. How many incidents did your organization assess last year? For a glimpse of what automation in incident risk assessment can save your organization, explore our handy ROI calculator.
While time and money are at the top of everyone’s efficiency checklists, it’s worth taking into account the stress relief benefits that automation can bring to your organization. Besides creating space for priorities, automated risk assessments provide confidence through consistency and defensibility amid an increasingly complex data breach notification landscape.
No matter what way you slice it, incidents are on the rise, and organizations that invest in automated risk assessment and notification guidance can get ahead of the inefficient and costly manual processes by acting now.
To learn more about how organizations create inefficiency in incident response, read our new whitepaper to understand the who, what, why, and how of streamlined incident response.