By: Linda Coniglio, Information Governance and Privacy Specialist
In the last two years, there have been over 100 privacy and cyber security laws enacted globally. In the US alone, each of the 50 states has its own data breach law. BUT data breaches and privacy threats continue to grow. It seems any organization that collects and stores personal or sensitive data is inevitably going to experience an “incident.” The incident may range from a ransomware attack to an unauthorized person accessing personal or sensitive data without an authorized purpose.
When a privacy incident occurs, the organization is under pressure to notify authorities in a timely manner. The threat of penalties and reputational damage looms large. IT or Security Departments can’t be solely responsible. Recently, during a client call, an IT representative made the following analogy: “In IT we prepare and cultivate the land for farming. It’s the business that plants and maintains the crops. We can secure the land, but we don’t know what’s planted.”
Privacy departments in many companies are small but growing and maturing. In some companies, it’s not a department at all but a one-person show. Privacy professionals are working hard to educate the Board and leadership team about incident response requirements and the importance of compliance. They are also training staff on what constitutes a privacy-related incident and how to report them.
The risk of non-compliance is becoming clearer to an organization, but what can be done to take an incident response from a simple reaction to a mature response process? It’s preparation and teamwork among IT/Security, Privacy, and Legal.
Legal action related to a data breach can be initiated if an organization fails to:
- institute reasonable data security measures
- provide a remedy to the damages caused by the breach
- provide notice of the breach as required by the jurisdictional laws
For an organization to protect itself, it is recommended legal counsel be involved from the first indication a breach occurred. During the incident response, information about the response will be generated. With attorney involvement, some of this information can be protected from disclosure by the attorney-client privilege. Attorneys can also provide specifics regarding what needs to be included (or not included) in the breach notifications of the various jurisdictions involved. Counsel can also identify individuals whose personal or sensitive data was affected.
An incident response readiness program starts with an up-to-date data map (aka data inventory) – the foundation of any effective privacy program — that shows what data is collected, where it is stored, how it’s protected, and how it is being used. Data maps are also used to create and track risk assessments that identify potential risks to the protected information. In addition, with a data map, a privacy professional can identify the data stored on each affected system. The data map will also provide critical jurisdiction information as the incident response team navigates the complexity of state, national and international privacy regulations.
No matter the size of your organization, it’s the responsibility of the IT/Security department to implement reasonable data protection. They need to ensure good data security practices such as enforcing strong password policies, installing patches in a timely manner, and providing awareness training for all staff. IT/Security departments will need mechanisms that centralize risk assessments (Yes, that’s the data map!), detect if a breach occurs, understand its scope, and be able to immediately stop the entity responsible. If your organization stores personal or sensitive data, it’s not just your data anymore. You’ll need to do whatever is needed to protect it.
Incident Response Planning
Teams don’t just come together. Teamwork requires planning and preparation. According to the Federal Trade Commission (Data Breach Response: A Guide for Business), include the following in your plan:
- Secure the operations: Implement a secure system, like ERP software that tends to have integrated security features (visit https://sytecg.com/ to learn how ERP software can help you centralize business operations while providing maximum security) and fix the vulnerabilities that caused the security breach.
- Legal analysis: Contact counsel to analyze legal implications and notification requirements.
- Assemble the team to conduct a comprehensive breach response: This team will include legal, privacy and IT/security. However, depending upon the size and nature of your organization, forensics, human resources, communications, and management may need to be included.
- Investigate: Interview people who discovered the breach and anyone else who may know about it.
- Notify appropriate parties: Based on legal analysis, identify regulatory notification obligations.
- Follow up: Prepare for potential class action litigation and how to re-establish trust with clients.
Preparing for an incident response will only become more challenging the longer the organization waits. Privacy professionals are well-positioned to assemble the team and begin preparation. Teamwork will reduce the amount of damage and speed up the recovery process. It’s not just your data anymore!