Performing a multi-factor risk assessment to determine whether an incident involving PII and/or PHI requires notification to regulatory bodies isn’t just a good practice for privacy programs–it’s a requirement for documenting and demonstrating compliance with data breach laws. Due to the misconception that any incident involving sensitive, regulated data is automatically a notifiable breach, it is critical that every incident undergo a compliant multi-factor risk assessment to establish your burden of proof – particularly when deciding not to notify because you were able to properly mitigate the risk as permitted by law.
Privacy, compliance, and security officers tasked with assessing incidents must stay up to date with a patchwork of ever-changing federal, state, and international data breach laws – a herculean task.
Despite this complexity, many organizations are still struggling with a spreadsheet-driven, highly subjective, and manual method of conducting incident risk assessments. When I talk to privacy and security professionals in the field, they describe a painful, multi-step process with checklists, spreadsheets, and disconnected systems that don’t quite fit together.
RADAR was built with the idea that we could leverage automation and technology to solve this very real problem for privacy teams. Below we’ll explore some of the common comparison points I’ve seen privacy teams weigh when evaluating the efficacy of software solutions against manual processes.
While homegrown solutions may seem inexpensive to create, in the long run, this seemingly low-investment approach can be the costliest. An ad-hoc internal process is often reported to be manual, time consuming, and creates organizational risks due to inconsistency and the very real potential that an incident may fall through the cracks. The lack of a consistent internal process puts companies and their customers at risk for brand damage, lost business, identity theft, and even lawsuits or fines.
One RADAR customer, a Chief Privacy Officer at a large financial organization, recalled the world before her team established a repeatable incident response process:
“Everything was ad hoc, case by case.
It makes my hands sweaty just to think about it.”
Investing in automation through a SaaS platform, on the other hand, ultimately reduces operational expenses as well as organizational risks. Technology is able to streamline workflows, allowing privacy teams to control costs and time spent on routine incidents, legal research and risk assessments for compliance, instead enabling staff to focus more strategically on non-routine incidents and overall program execution and oversight.
Time to Decision
Automating the required multi-factor risk assessment process helps reduce the time from incident detection to breach determination and notification to ensure regulatory compliance. Compared with manual internal solutions for incident response, automation saves teams time, enables compliance, and makes teams more productive and effective.
One example: In a time trial comparing RADAR to their previous manual incident response workflows, one customer learned that the time it took to gather the pertinent facts involving multiple jurisdictions, perform a multi-factor and multi-jurisdictional risk assessment, and analyze legal implications to arrive at a breach determination decision was reduced from many days with their manual internal system, to 15 minutes within RADAR.
As notification timelines become more and more stringent, along with penalties for non-compliance, it is a wise move for organizations to seek measures and systems that help reduce time to decision and notify.
Peace of Mind
When you’re maintaining a manual system for incident response, the onus is on you to ensure the workflow is humming along well enough: teams across your organization are able to escalate incidents to you easily and with sufficient details; your understanding of data breach laws are current in each applicable jurisdiction; you are involving the right people at the right stage of investigation, and most importantly, are doing so in a consistent manner, every time.
By comparison, RADAR as a SaaS solution is always up to date. With regulatory watchlists and law overviews that are always kept current, RADAR customers have eliminated the costs and time associated with monitoring, researching, and analyzing regulatory changes.
Think of it this way: in 2017 so far, we’ve had 27 releases within RADAR. Each release brings functional enhancements to the platform, keeps the RADAR Legal Engine up to date with ever-changing data breach laws, or brings our customers new and useful features we’ve developed based on their input. We’re also tracking over a dozen pieces of domestic legislation at any time, not including our ongoing development and monitoring efforts of international privacy laws – including GDPR.
The Results: Weighing Homegrown Solutions vs. Automation in Software for Incident Response Management
Suffering an incident and sorting out if it’s a data breach based on ever-changing state and federal laws will raise the blood pressure of any privacy professional.
This very real business problem was what led me to the invention that eventually became RADAR. I realized that use of modeling technology and purpose-built software, could eliminate the inconsistency and inefficiencies that were inherent with the existing manual approaches. And what we have built is just that: an incident response platform with a built-in multi-factor and multi-jurisdictional risk assessment that provides consistent and reliable decision-support guidance.
If you would like to consult with a member of our team about your current incident response process, we would love to show you what RADAR can do.