Five Tips for Incident Response Readiness


By Alex Wall, Esq., CIPP/US CIPP/E
Senior Counsel & Global Privacy Officer

Data breaches and how to prepare for them are perennially hot topics among privacy and compliance professionals. We are well aware of the hazards involved in poor incident response, but taking a step back to evaluate incident response readiness can be helpful before your next incident occurs. Below are five key tips for incident response readiness:

Tip #1: Spend money to save money.

Push to give privacy its own budget. There is a push for privacy teams to be in charge of their own budgets within organizations (as opposed to reporting to security) because there are a number of potential conflicts of resources and interests. Consider:

  • The 2016 Cost of Data Breach Study found the average consolidated total cost of a data breach grew from $3.8 million to $4 million this year. This is the cost of a single data breach, with additional losses associated with brand and reputational harm. In light of the real cost of non-compliance, making a relatively small investment in preventative measures, including staff hours, systems, and incident response preparedness tools, may well be worth the price tag.
  • Under GDPR, companies will run the risk of fines that could reach 4 percent of global annual revenue for an entire conglomerate. The planning and systems that must be implemented to meet a May 2018 go-live deadline will require a significant investment.
  • With the prevalence of data breach coverage in the media today, having a well-funded privacy team can be a market differentiator. For instance, Microsoft’s Brendon Lynch won the 2017 IAPP Vanguard Award at this year’s Global Privacy Summit, which assures the public and data protection authorities that leaders in the field of privacy are directly contributing to that country’s best practices with respect to personal data.
Tip #2: Identify your core and extended team NOW.

Identifying your team before an event occurs will help keep the process moving forward, and allows for a team to be familiar with each other and prepared to collaborate on short notice on privacy impact assessments and data incident response. Collaborating, with the assistance of appropriate software platforms, and discussing the multi-factor risk analysis process, will help to ensure consistency in assessment. Acting as a counselor and advisor, a privacy professional is in a position to identify and encourage collaboration among privacy-interested parties in an organization. To maximize the net value of data processed by the organization, it’s imperative to meet periodically to discuss concerns and find creative ways to improve compliance. Periodic meetings are also an opportunity to update the team on rapidly evolving breach privacy laws and breach notification standards, such as this year’s changes in the breach notification laws of New Mexico, Tennessee, the Philippines, and Japan.

Tip #3: Build a response plan before you need it.

I cannot stress enough the necessity of Incident Response Plans (IRPs) and their importance in meeting breach notification deadlines. During a crisis is the wrong time to discover that disagreements exist in how to handle incident response or that the team does not have access to necessary information, tools, and expertise to respond properly. Staying current on breach notification requirements is much easier, more accurate, and more efficient when using the right tools. With the IAPP-RADAR Incident Response Center, for example, RADAR and the IAPP have partnered to offer IAPP members an efficient and streamlined way to access complex and ever-changing data breach notification laws that are always up to date and include jurisdiction breach notification summaries for the US, EU, and beyond—including GDPR.

Tip #4: Know the difference between an event, incident, and data breach.

Beware lax use of the word “breach” (aka the “b” word). Because of the potential conclusory meaning of “breach,” use of the word in email and discussions can create a false record and may cause those involved in the investigation to panic, overreact, or conceal information. It is imperative to remain objective and thorough throughout an investigation. Until you know for certain otherwise, don’t call an event or an incident a breach. To learn more about the difference between an event, an incident, and a data breach, read here.

Tip #5: Don’t forget about your contractual obligations.

Another key aspect in getting your company ready for an incident is setting up vendors and buttoning up contracts and business associate agreements so you are aware of both your resources in helping respond to a potential breach, as well as your contractual obligations to report to Business Associates and Third Party Vendors if your data has been compromised. The cost of noncompliance when it comes to vendor contracts and business associates are real. Consider these two examples from the Health and Human Services (HHS) Office for Civil Right (OCR) so-called “Wall of Shame,” a listing of breaches affecting 500 or more individuals:

  • In December 2015, insurance holding company Triple-S, based in San Juan, Puerto Rico, settled potential HIPAA violation allegations by paying HHS a $3.5 million fine. The OCR found widespread noncompliance throughout Triple-S’ subsidiaries, such as failing to implement appropriate safeguards to protect beneficiaries’ protected health information, disclosing more PHI than necessary to carry out mailings, and failing to conduct accurate and thorough risk analyses, among others.
  • In July 2016, Oregon Health & Science University signed a resolution agreement with OCR regarding two data breaches from 2013 that affected more than 7,000 patients that included a $2.7 million payment and a three-year corrective action plan. In the first breach, an unencrypted laptop containing PHI was stolen from a surgeon’s vacation home. In the second breach, PHI had been stored in a cloud storage system without a business associate agreement in place with the storage company. There were no reports of harm to patients resulting from the breaches.

Having the right people, technology, and processes in place at a time when an organization is thinking clearly–and not responding to a crisis–will greatly contain the financial and human costs of a breach when they happen. Using a technology such as RADAR to automate your multi-factor risk assessment process also provides an essential component in any breach response plan, with a workflow, breach assessment engine, and reference library that is purpose-built to save time, money, reputation, and stress.

[clickToTweet tweet=”Five Tips for Incident Response Readiness” quote=”Five Tips for Incident Response Readiness” theme=”style3″]