If you experienced a privacy incident tomorrow, would you know exactly what to do?
For most privacy and legal teams, the answer is a resounding “no.”
The status quo of privacy incident response relies heavily on teams “figuring it out” with consultants and outside counsel when a breach occurs. However, this reactionary approach proves expensive, risky, and slow for both the breached organization and their outside help.
That’s why leading organizations and privacy experts are shifting to a more proactive approach.
At this year’s Privacy+Security Forum, BreachRx CEO and Founder Andy Lunsford led a panel discussion on how leading privacy experts are building proactive incident response programs fit for their organizations and/or their clients. The panel included:
- Chris Donewald, Director, Managing Counsel, Affirm
- Eric Heath, VP, Deputy General Counsel & Chief Privacy Officer, Ancestry
- Jodi Daniels, Founder & CEO, Red Clover Advisors
If you missed the live conversation, here are the top five takeaways for building an actionable privacy incident response program that works for the maturity of your organization.
1. Prepare for action: The most actionable privacy incident response plans are dynamic
Getting ahead of incidents and reducing your legal and business risk requires a privacy incident response program that goes beyond the traditional static and generic plans.
While it’s easy enough to download a Word document or spreadsheet response template off the web, the panelists agree that this manual, one-size-fits-all approach to incident response can be dangerous for a few reasons:
- A static template can be difficult to manage and keep up to date as regulations, contracts, and threats evolve.
- A downloaded template may not be sufficiently granular for any given company.
- A static template can create a false sense of security and is unlikely to prepare your team for what actually happens, as events rarely go exactly according to plan.
Instead, Eric Heath encourages responsible privacy teams to build a plan that is more dynamic and tailored to their organization. He also suggests conducting a live, tabletop privacy incident response exercise once or twice a year to help your team test whether or not your plans are actually actionable and up to date. Remember: Events rarely go according to plan, and that makes it critical to remain dynamic in your response plans.
Reduce your team’s routine work and help them focus on what inspires them.
Stop using spreadsheets, documents, and unwieldy ticketing systems for your incident readiness and response efforts.
2. Build muscle memory: The key ingredient to an effective privacy incident response program is practice
Data reveal that at least a 50% chance exists that every company will experience a breach within the next year. However, Jodi Daniels, who works with a lot of small and medium-sized businesses to set up privacy incident response programs, observes that number can be as high as 60% for small businesses. She continues that 60-70% of those companies could go out of business because of an incident.
Their biggest downfall that can lead to this heightened risk? Thinking they won’t suffer an incident or a breach.
Every business — no matter how small — is susceptible to a breach, and the key to protecting against serious harm is to prepare accordingly. That’s why the first step in laying the groundwork for an effective privacy incident response program is practice.
“You need to have a plan, practice the plan, and know what’s in the plan,” Jodi explains, adding that knowing what data you have and where it lives should sit at the core of that plan. “When you’re in crisis mode, you won’t have time to figure out where your data reside.” This makes practice essential, as proactively developing the muscle memory around your plan can reduce risk by helping you hit the ground running when an incident actually does occur.
3. Work together: The most powerful privacy incident response is a team effort
Some organizations think of incident response almost exclusively as a security responsibility. This leaves teams with the inclination to simply “throw it over the wall” to their privacy and legal departments in the case of a severe event. But this approach proves problematic.
Chris Donewald urges everyone to recognize privacy professionals as key stakeholders in incident response, but cautions that these teams should never shoulder the responsibility to respond alone.
The communications team also needs to be tightly integrated into the response, and they should be a part of all tabletop exercises to ensure that everyone is rowing in the same direction. This communications strategy can be key to breaking down silos and building a coordinated response.
Overall, the privacy team should work closely with communications, security, engineering, legal, and the business to consider:
- Communicating up: What do executives need to know?
- Communicating across: How can operational teams who have to do discovery on what’s been compromised get pulled in?
The exact stakeholders you need to involve and the best process for doing so will vary based on your business’ size, industry, and data, among other factors, but the experts agree that the most powerful privacy incident response plans are coordinated, cross-functional efforts.
4. Be proactive: The most prepared teams consider the extended impact of a privacy incident
Importantly, this cross-team collaboration must be a long term effort. As Andy Lunsford points out, the average small breach takes nine months to resolve.
Organizations often believe they’ve mitigated the risk of a privacy incident after completing a security triage. But this is a misperception. In reality, the long term impact can be massive due to potential reputational damage. If a business starts taking hits in the press or blogosphere, the damage to the brand can reverberate for months.
According to Eric, getting ahead of this risk starts by building alignment internally. “Get to know the key stakeholders within the organization. Go to lunch with them. Understand their incentives,” he explains. That said, the panel warned not to over rely on a single expert in case that person is not available at the time of an incident.
And don’t stop with just internal stakeholders. Make sure that you also get to know your vendors, including how you use their data, the exposure your relationship with them creates, and your contractual obligations to them.
Perhaps most critically, start building relationships with regulators — as your first time reaching out to them should never be once a breach has already occurred. You should always know who to call and when before you actually need them.
5. Consider the bottom line: The best privacy incident response plans grow with the business
With experience at Yahoo!, LinkedIn, Zenefits, and Ancestry, Eric has seen a variety of companies go through the process of maturing their privacy incident response programs. This experience reveals that having the “right plan” depends on the size and maturity of the business, and what exactly this looks like should continue to evolve alongside the business.
Specifically, Eric has helped organizations mature their privacy incident response plans from bare bones to battle-tested programs. This involves building out teams with clear roles and responsibilities, making privacy and security a leadership-level issue, and communicating continuously across groups.
As part of this effort, program leaders must regularly engage the business to learn about the data infrastructure, storage, governance angles, brand strategy, and more, as well as how each of those measures changes over time. Jodi recommends engaging different stakeholders often through exercises and training to answer questions like:
- What data do you report?
- How do you report it?
- What is the message of that report?
- Who do you tell about it?
One key growth stage to which program leaders should pay extra attention is preparing to take a company public. This stage requires a robust plan that has gone through several reviews to find and plug gaps in order to minimize risk. “It’s one thing to build the plan, it’s another to test it to see if you can actually meet those requirements,” Chris explains.
Testing plans doesn’t end with an IPO, either. As a company grows organically, or especially inorganically through acquisition, it’s critical to make reviewing privacy incident response plans and practices part of the process to mitigate third party risk and ensure you don’t bring in a hornet’s nest of problems.
Final thoughts: The future of privacy incident response is complex, but enabled through technology
While the privacy regulation landscape will no doubt become increasingly complex over the next several years, the good news is that new innovations in privacy and legal technology are making it easier for teams to navigate this environment.
New platforms like the BreachRx incident management platform can help organizations prepare for incidents by staying up to date on the latest regulatory requirements, creating and managing dynamic playbooks, and coordinating across teams to get proactive against privacy risk.
With 24-48 hour reporting timelines increasing the pressure on organizations to be ready to respond if and when an incident occurs, enabling teams with the proper technology early can be one of the best investments an organization can make.
Finally, the right technology can also help reduce risk over time. By helping teams track and measure their recovery from incidents, the BreachRx platform arms teams with the data they need to highlight both their successes and the areas where they need additional help and investment from the business. This data is critical to building the business case for a coordinated privacy incident response program for your organization.
Andy concludes: “Serious incidents occur every minute. It’s not a matter of if, but how often. The best thing an organization can do is to prepare proactively with a dynamic plan to minimize the risk to the business.”
