As a privacy leader, what goes through your head when you find out that company data has been lost? Probably dozens of questions: What’s the cause? Have we contained it internally or do customers already know about it? How many customers have been affected? In this post, we look at amore critical and fundamental question: What kind of event is this?
Making this distinction may seem like a minor matter, especially in the heat of the moment. But an efficient, effective response depends on the answer.
Companies frequently have “events” that might become legally classified as “incidents” — or even eventually end up being a “breach.” These classifications form a sort of scale that can be used to align your responses to, make them more effective, and ultimately protect your organization during litigation. This post will help privacy professionals determine what kind of event they have on their hands and how to develop a new, integrated muscle for privacy incident response.
Take the risk out of your breach response
Automate your incident response today
Distinguishing security incidents, privacy incidents, and data breaches
The two major categories of incidents to focus on are security and privacy incidents. Security incidents (e.g., denial of service attacks or failure of your security technology) happen regularly, and teams are much more familiar with them. Privacy incidents (e.g., unauthorized access to customer data), on the other hand, are unfamiliar territory for most of us.
Below are some examples of typical privacy incidents:
- A marketing director comes to you with bad news. His laptop (which contains all sorts of sensitive customer information) disappeared during his business trip. He thinks he left it in a taxi or the airport terminal.
- During a busy period, a pharmacist accidentally gives a prescription to a customer with a similar surname and from the same apartment complex as the intended recipient.
- A business’ check scanner breaks, and an employee tries to be helpful by downloading a third-party app to their smartphone and continuing to scan checks. But that places the customer information in a third-party system.
Data breaches, specifically, mega breaches like the one that Equifax suffered in 2017 draw the most public attention, but while the impact of such events is huge – even catastrophic – they are rare. Privacy incidents like the examples cited above happen much more frequently, and most companies are not at all prepared for them.
Understanding the differences between security incidents, privacy incidents, and data breaches enables your privacy teams to effectively prepare to respond to each. This includes knowing when your team needs to collaborate with your organization’s data security team and how to comply with regulations in a timely manner, thereby protecting your customers and your organization’s brand.
When security and privacy incidents overlap
We think of the distinctions between security and privacy incidents through the visual of a Venn diagram. There are incidents (like the examples above) that only the privacy team tackles, ones that fall solely under data security, and ones that require action from both teams. Examples of incidents that require action from both the data security and privacy teams include:
- Nation-state exfiltration: other countries unlawfully moving customer data from a business’ data store for espionage or sabotage
- Ransomware attacks: cybercriminals encrypting a business’ customer data and demanding a ransom for its release
- Customer accounts being outright stolen
In each case, security teams typically resolve the technical aspects of the problem and fix any security vulnerabilities that led to the event. Privacy teams, on the other hand, typically oversee notifying customers and regulators as well as complying with regulations.
Integrated incident response is no longer the future. It’s needed now.
You can’t simply assume that the security team will know when they need to coordinate, much less when to let the privacy team know about an incident. Security teams tend to think of incidents in terms of the technical and tactical activities required to get cybercriminals out of the system and keep them out. Privacy or legal teams, on the other hand, deal with a “longer tail” set of activities — customer notifications and legal obligations.
Even seasoned security professionals are not always aware of the tasks that the privacy team will need to complete in response to an incident. In fact, most of the privacy incidents mentioned earlier won’t be on the radar of security teams because security has no role in those circumstances. Tabletop exercises and communicating ahead of time can help enable smooth coordination when the need arises.
Preparation for privacy incidents is essential for an effective response
In addition to effectively aligning security and privacy teams, understanding the difference between privacy incidents and data breaches makes it easier for privacy leaders or general counsels to quickly grasp the legal ramifications of a particular incident.
Knowing the difference also helps your team prepare ahead of time so that they can swiftly comply with regulations and contractual obligations. If you have not prepared beforehand, you will have a large amount of work to do when an incident occurs:
- Figuring out if your business contracts require you to notify customers, vendors, or partners and within what timeframe.
- Deciding whether the incident is covered and substantial enough to warrant looping in your cyber insurer
- Hiring experienced outside counsel and forensic consultants to aid and/or direct the response work
- Identifying the relevant regulations in different countries and states
- Preparing public communications and internal communications around the incident
- Notifying regulators (if required) within the required time frame
- If the event is a data breach, determining whether customer notification can be made via email, postal mail, and/or press release
The actions you take will depend on the circumstances of each incident, business impacts, brand considerations, risk assessment, costs and regulations set by the relevant states, countries, or government agencies.
Breaches and incidents have increased and so have the consequences
According to ZDNet, 2020 saw a total of 331 data breaches reported in the European Union each day. IBM and the Ponemon Institute found that 44% of data breaches involved the loss of customer personally identifiable information (PII). The Ponemon Institute also found that the average cost of a data breach cost $9M in the United States.
But Statista reported more than 155.8 million individuals had sensitive information accidentally revealed. That’s half of the entire U.S. population. That’s a strong indication of just how common these incidents have become and how essential it is to prepare for them.
The variety of privacy incidents makes it harder to pin down an average cost. But the chief information security officer for one of the world’s largest investment firms says, “Failing to manage privacy incidents effectively can expose organizations to serious disruptions, including fines, litigation, reputational damage, and significant client attrition.”
Today, chief privacy officers and general counsels around the world are making use of proactive tools that help them clarify and define incidents so that their teams can respond quickly and effectively.
Find out more about the benefits of preparing for privacy incidents at Why choose proactive privacy incident management? 5 major reasons.
Reduce your team’s routine work and help them focus on what inspires them.
Stop using spreadsheets, documents, and unwieldy ticketing systems for your incident readiness and response efforts.