Will you plan for — or react to — your next privacy incident?
When we speak with privacy professionals, we hear that proactively preparing for data breaches is a high priority for industry-leading General Counsels and Chief Privacy Officers. And it’s no wonder; privacy incidents affected 47% of companies last year alone.
This post explores the drawbacks of a reactive approach to privacy incident management, the value of a proactive approach, and what current and former industry-leading privacy experts from Autodesk, Eclypsium, JPMorgan Chase, US Bank, and Vanguard say about the BreachRx innovative incident management platform.
Drawbacks of a Reactive Approach
“Completely manual mitigation approaches don’t scale,” says a C-Suite executive concerned about cybersecurity, formerly from Vanguard.
While many companies have a high-level privacy incident response plan, most high-level plans are just that: high-level. They don’t adequately cover the specific response and recovery tasks that must occur to successfully handle an incident — nor account for any advanced preparation.
Steve Mancini, Chief Information Security Officer from Eclypsium, says, “Successfully managing an incident begins and ends with how well you are prepared to address it. This applies to all forms of crisis response, not just cybersecurity or privacy. For most of these types of incidents, incident responders have adopted best practices from other emergency room and crisis response teams where we seek to develop response “muscle memory” for repetitive tasks and operations so we can focus our attention on the unique aspects of the incident. As a result, practitioners have generated numerous playbooks, runbooks, templates, and best practices that we create, test, and continuously reiterate over. With rare exception, almost all of them focus on the technical and internal procedural aspects of the response.”
A reactive incident response plan — complete with manual playbooks and checklists — doesn’t account for the fact that, when a data breach occurs, teams will likely be working in an adrenaline charged environment and pressed for time to sit down and read a lengthy Word doc about how to handle a privacy incident. What’s more, it’s nearly impossible for the content of an incident response playbook to adequately comprehend the critical non-technical procedural steps and regulatory obligations essential to addressing a privacy incident.
Mancini says most response plans keep security and legal teams isolated in their own swim lanes. This way of “throwing things over the wall” throws up communication obstacles and can inhibit smart, collaborative response.
The Value of a Proactive Approach to Privacy Incident Management
According to a former privacy executive at US Bank, teams’ reactions to data breaches are the real proof of their ability to handle privacy incidents.
The former CPO continues: “Most activities, most preparation, and most responses focus on the technical details and forensics, as well as whether and how to work with law enforcement. These topics address how we react to the breach, but they don’t address an urgent need. That urgent need may be less interesting and exciting, but it is more important.”
According to this executive, three questions are far more important for stakeholders to answer in the event of a data breach:
- Prepare. Why did the privacy incident happen in the first place? Did the team do everything it could to prevent it?
- Respond. Did the team do everything it can to effectively identify and correct the problem?
- Recover. How comprehensively did the team manage all aspects of response?
The cybersecurity executive formerly from Vanguard agrees: “Companies need to take a fresh approach to information risk discovery. They need tools that generate key insights, drive automated playbooks, and aid their users in making timely, actionable decisions for risk mitigation.”
The BreachRx Privacy Incident Management Platform At Work
According to the same former cybersecurity leader at Vanguard, teams require several components to successfully and proactively manage privacy incidents:
- Dynamic and tailored plans
- Automated and actionable playbooks
- End-to-end automation
- A centralized system of record with defined stakeholder responsibility
- An attorney-driven platform that strengthens privilege
Says Vanguard’s former cybersecurity executive, solutions like “BreachRx represent a new class of incident response technologies that could be a game-changer for the industry. I’m excited about BreachRx’s product. I expect to see them succeed in delivering a best-in-class incident response platform that helps companies reduce the risk of cyber exposure to their operations.”
Al Raymond, Consumer & Community Privacy Officer from JPMorgan Chase, agrees: “One thing I love about the BreachRx product, and why we’re so happy to become involved with them, is it helps to automate the end-to-end process and eliminates a lot of those mistakes and missed opportunities.”
Alexandra Ross, a BreachRx advisor and global data privacy executive at Autodesk, concurs: “Companies should consider having tools like BreachRx at the ready to help them act before, during, and after an incident, from a compliance perspective. They also need to improve their privacy and security programs overall to maintain trust with customers and regulators.”
To learn more about what people are saying about proactive privacy incident management, as well as about BreachRx, listen in on our Privacy & Cybersecurity Conversations or contact us for a demo.
Take the risk out of your breach response
Automate your incident response today