Challenge
With more than 16 million members across the U.S., one of the country’s largest health insurance companies had been struggling to manage its obligations around privacy and data security incidents.
They needed a solution that would allow them to not only assess incidents quickly and more efficiently for regulatory requirements, but also to meet the notification requirements of around 10,000 different contracts.
Solutions
RadarFirst was selected as the vendor of choice, and the team saved 95 percent of the time they used to spend on incident assessment.
All the state laws are built into the tool which provided instant visibility into notification deadlines to easily avoid incurring fines or penalties.
One of the country’s largest health insurance companies realized a manual process could not handle contract complexity
With more than 16 million members across the U.S., one of the country’s largest health insurance companies had been struggling to manage its obligations around privacy and data security incidents. They needed a solution that would allow them to not only assess incidents quickly and more efficiently for regulatory requirements, but also to meet the notification requirements of around 10,000 different contracts.
Until 2019, the privacy team at this Fortune 100 company had been handling incident response completely manually. The team handles an average of 250 reported incidents a month, half of which require assessment. The equivalent of seven full-time employees were handling 18-22 incidents each, and assessment of each incident could take up to two days.
While the team had been successful in protecting the organization against regulatory fines for non-compliance, the privacy director worried that the manual assessment process didn’t allow the team to fully assess the contractual obligations arising from each incident, putting the company at risk of non-compliance with contract terms.
With around 10,000 contracts potentially affected, the manual process wasn’t keeping up. So, the privacy team chose Radar to help automate the assessment process, including evaluation of contract obligations arising from privacy incidents.
Assessment Time was Reduced from Days to Minutes
“Radar® Privacy is our privacy program’s biggest success story this year! Before, an incident would have taken 1–2 days to work through manually. Now, our team had all the information we need in only minutes.”
The privacy director says that improving compliance with contractual notification obligations has been the biggest of multiple big wins from Radar® Privacy. She cites a recent incident that involved state and federal laws and affected 180 contracts.
Radar® Privacy saves the team 95 percent of the time they used to spend on incident assessment, because all the state laws are built into the tool, and the director says another big win is that they have instant visibility into notification deadlines, so they can easily avoid incurring fines or penalties.
An Unexpected Benefit: Greater Incident Reporting and Awareness
“We used to manually review every incident. Now we only review the ones that are yellow on the heat map, making us 50–70 percent more efficient.”
Greater staff awareness has been an unexpected benefit of Radar® Privacy, but the company has also seen the expected increases in efficiency in multiple ways. In addition to reducing incident assessment time by 95 percent, the director says her team is saving time because they are having to review fewer incidents.
“When we started using the solution, our incident volume went up by 30 percent. Our CRO said he expected efficiency and asked why there was an increase. We responded that prior to Radar® Privacy, we were missing a big percentage of work and weren’t capturing it. The solution has exposed the risk and where it’s coming from, and through better reporting, we can better train the whole organization to be on the lookout for potential privacy incidents.”
Expedite Incident Intake and Provide Clarity
Incident intake time has also been reduced from 125 hours or more per month to essentially zero. Under the manual process, employees would report incidents by email, and privacy team members would spend 30–45 minutes rekeying the information into the incident database.
With Radar® Privacy, the company’s 50,000–60,000 employees can enter complete reports themselves.
For the privacy director, another great benefit of having Radar® Privacy has been the consistency it brings to incident assessment. Her team used to have to keep informed on changing state privacy laws with information from a subscription service, but now the assessment is done instantly based on the always up-to-date information in Radar® Privacy.
“We don’t have people interpreting laws or contracts inconsistently anymore. Our CRO was able to show the CEO how we are able to better control the overall risk with Radar® Privacy.”
With new confidence in their information, the team has reduced the number of incidents referred to in-house counsel from about 25 percent to less than 1 percent. The privacy group is also able to provide new clarity through faster, easier reporting. Radar® Privacy’s built-in reporting capabilities have reduced the time to create trending and root cause reports by half.
With the efficiencies that Radar® Privacy brings, the director expects to be able to reduce the staff time spent on incident assessments by half. But there are also less measurable benefits. Overall, Radar® Privacy has given the privacy team more confidence, consistency, and credibility.
Dig deeper on these topics
Interested in learning how to simplify incident management?
Related Resources
A Fortune 150 Financial Company Selects Radar® Privacy
Fortune 20 Company Overhauls its Global Breach Response
National Health Insurer Reduces Risk Assessment Time by 95%
