To comply with privacy regulations, your organization most likely has an incident response plan that’s a giant 50- to 100-page tome. It checks all the boxes by outlining the procedures for all privacy incident scenarios … but it’s so unwieldy that your privacy and security teams tend to ignore or work around it rather than use it.
If that’s the case, you’re not alone. The head of one of the country’s premier incident response law firms confided to us that although they’ve handled hundreds of incident responses, never once have they consulted a client’s incident response plan. We’ve spoken to several chief privacy officers, privacy incident responders, legal operations, and general counsels who’ve said the same.
Response plans are usually built from templates that attempt to address every type of business, industry, or geography rather than being tailored to an organization’s needs. As a result, those plans are too generic for practical use.
Need help with an incident response strategy?
Leverage the BreachRx platform to build an actionable incident response plan today!
A proactive approach like privacy incident management, which employs tools and processes that streamline and accelerate incident response, can help you better prepare for privacy incidents. With privacy incident management, you spend less time and resources responding to incidents, while significantly lowering the number of lawsuits and fines you could face and reducing the risk of customer churn and brand damage.
Generic incident response plans check the box but don’t help you take action
Your giant, template-based incident response plan might help you figure out high-level requirements (for example, who’s the typical team leader for each type of incident). When it comes to knowing precisely what to do when there’s a ransomware attack, or if an employee accidentally sends one customer’s sensitive information to another one, however, that document can actually slow down response times.
With all the regulations in place across the globe nowadays and their tight notification time frames, failure to act quickly may result in consequences like these:
- Federal and state investigation and fines for poor response practices
- Shareholder lawsuits over of the loss or disruption of business
- Class action lawsuits filed by customers (those who were not directly impacted may file “no injury” privacy class actions in many state courts)
- Court fees from shareholder or customer class action lawsuits
- Adverse impact on the company’s stock, if it’s publicly traded
- Loss of profits as the company’s reputation suffers and customers fall away due to lack of trust
Steps for taking a proactive approach
Focusing on that “prepare” phase first is key to setting up for a successful response and recovery. The response phase covers the actions most people typically focus on when they think of incident response. Finally, in the “recover” phase, you ultimately follow up with post-incident activities, such as a root cause analysis and new security measures, as new inputs for the prepare phase and improving your readiness further. If you take the typical approach of focusing only on the response, you will be caught off guard and unprepared, and ultimately pay a hefty price for waiting.
Privacy incident management practices and processes should involve the following:
- Breaking the response plan into specific, actionable playbooks (one playbook for ransomware, another playbook for inadvertent disclosure or insider threats, etc.)
- Ensuring each playbook includes all relevant processes, policies, and guidelines (for example, complying with an ISO control) as well as your contractual and regulatory obligations for that incident type
- Reducing workflow expense and increasing efficiency by hiring legal operations people (who have legal training and specific operational expertise but don’t necessarily have law degrees or as much depth of experience) for less complicated tasks like playbook creation and some notifications
- Preparing streamlined workflows via automation wherever possible
- Holding regular tabletop exercises and incident simulations, from small-group activities to large-scale events with the whole leadership team, so that privacy teams and executives better understand the types of decisions and actions they’ll be faced with.
“Usually business executives assume and expect that the cyber, technology, and risk teams will address the problem themselves, while executives watch from the sidelines,” says a chief privacy officer and associate general counsel at a major national bank. “The problem is, company leaders inevitably become the focus because it’s their data or their client data – either proprietary or personal – that’s involved. They have to notify their customers. They face potential revenue loss. So, they must be comfortable with the process, to be familiar with it, and involved in it.”
Automation takes you to a new level of efficiency
Privacy teams can reclaim time and reduce stress by using a platform that helps them:
- Develop actionable, tailored playbooks
- Organize and document which teams and personnel should work on which tasks for different types of events
- Maintain and tailor automatically-updated regulatory information
- Organize and update information on contractual obligations in one place
- Run incident simulations and tabletop exercises
- Tailor response action items to the needs of the organization
- Automatically assign appropriate tasks to team members
- Facilitate cross-functional processes and keep stakeholders up to date in real time through the use of built-in collaboration tools
- Separate on-the-record and off-the-record communication to help you strengthen privilege
- Provide a safe haven where teams can communicate without worrying about attackers spying on their efforts to address an incident
- Track and report on the types and frequency of incidents and on response efficiency, so privacy teams can analyze their performance and improve
Fortune favors the prepared
Implementing all of these elements, or as many as you can, helps you get more organized. That way, if you do have an incident, the process is cleaner and swifter than the mad scramble most privacy teams and the businesses they support are used to currently.
As we mentioned in a past blog post, privacy incidents affected 47% of companies last year alone. The law firms we spoke to repeatedly state that even the biggest companies they work with are not prepared to deal efficiently with privacy incidents. Moving from a paper response plan approach to a privacy incident management platform makes all the difference when a crisis inevitably rears its head.