“Radar is our privacy program’s big success story this year.”
– Privacy and Ethics Lead at Fortune 100 U.S. health insurer
With more than 16 million members across the U.S., one of the country’s largest health insurance companies had been struggling to manage its obligations around privacy and data security incidents. They needed a solution that would allow them to not only assess incidents quickly and more efficiently for regulatory requirements, but also to meet the notification requirements of around 10,000 different contracts.
Manual Incident Response Process Couldn’t Handle Contract Complexity
Until 2019, the privacy team at this Fortune 100 company had been handling incident response completely manually. The team handles an average of 250 reported incidents a month, half of which require assessment. The equivalent of seven full-time employees were handling 18-22 incidents each, and assessment of each incident could take up to two days.
While the team had been successful in protecting the organization against regulatory fines for non-compliance, the privacy director worried that the manual assessment process didn’t allow the team to fully assess the contractual obligations arising from each incident, putting the company at risk of non-compliance with contract terms.
With around 10,000 contracts potentially affected, the manual process wasn’t keeping up. So, the privacy team chose Radar to help automate the assessment process, including evaluation of contract obligations arising from privacy incidents.
Radar Takes Assessment from Days to Minutes
The privacy director says that improving compliance with contractual notification obligations has been the biggest of multiple big wins from Radar. She cites a recent incident that involved state and federal laws and affected 180 contracts.
“Before, this incident would have taken 1–2 days to work through manually. With Radar, our team had all the information we needed right in front of us in minutes.”
Radar saves the team 95 percent of the time they used to spend on incident assessment, because all the state laws are built into the tool, and the director says another big win is that they have instant visibility into notification deadlines, so they can easily avoid incurring fines or penalties.
An Unexpected Benefit: Greater Incident Reporting and Awareness
There was one surprise with Radar: incident reporting increased.
“Radar is our privacy program’s big success story this year. When we started using Radar, our incident volume went up by 30 percent. Our CRO said he expected efficiency and asked why there was an increase. We responded that prior to Radar, we were missing a big percentage of work and weren’t capturing it. Radar has exposed the risk and where it’s coming from, and through better reporting, we can better train the whole organization to be on the lookout for potential privacy incidents.”
Greater staff awareness has been an unexpected benefit of Radar, but the company has also seen the expected increases in efficiency in multiple ways. In addition to reducing incident assessment time by 95 percent, the director says her team is saving time because they are having to review fewer incidents.
“We used to manually review every incident. Now we only review the ones that are yellow on the heat map, making us 50–70 percent more efficient.”
Radar Expedites Incident Intake
Incident intake time has also been reduced from 125 hours or more per month to essentially zero. Under the manual process, employees would report incidents by email, and privacy team members would spend 30–45 minutes rekeying the information into the incident database.
With Radar, the company’s 50,000–60,000 employees can enter complete reports themselves.
Radar Provides Clarity
For the privacy director, another great benefit of having Radar has been the consistency it brings to incident assessment. Her team used to have to keep informed on changing state privacy laws with information from a subscription service, but now the assessment is done instantly based on the always up-to-date information in Radar.
With new confidence in their information, the team has reduced the number of incidents referred to in-house counsel from about 25 percent to less than 1 percent. The privacy group is also able to provide new clarity through faster, easier reporting. Radar’s built-in reporting capabilities have reduced the time to create trending and root cause reports by half.
With the efficiencies that Radar brings, the director expects to be able to reduce the staff time spent on incident assessments by half. But there are also less measurable benefits. Overall, Radar has given the privacy team more confidence, consistency, and credibility.
“We don’t have people interpreting laws or contracts inconsistently anymore. Our CRO was able to show the CEO how we are able to better control the overall risk with Radar.”
Interested in learning more? Get in touch
Thanks for submitting the form. We’ll be in touch with you shortly.