The Definitive Guide to Privacy Incident Response: Coordinating Legal, Security, Privacy, and IT Teams

Privacy has reached an inflection point. New privacy programs are emerging every day in response to customer demands for privacy by design, growing regulatory pressure, and rising cyber attacks on businesses holding personal identifiable information (PII). 

However, privacy is not easily bolted on. Minimizing regulatory risk and proactively managing incidents requires a concerted and coordinated effort across teams including IT, legal, privacy, and security. 

As incidents become inevitable, do you know how your business will orchestrate a response?

Over the last weeks, we’ve explored each team individually: how legal teams create privacy incident best practice from chaos, the essential and often overlooked role of IT, and how security and privacy teams master privacy incident response. This article re-summarizes the part each team plays in privacy incident readiness and response, then details how to orchestrate teams for proactive privacy incident management.

5 Steps to Beat the Legal Clock

In today’s status quo, a privacy incident can trigger a scramble to gather information: What happened? What authorities need to be notified? Is the team handling a privacy incident, a security incident, or data breach? 

The legal team must answer every question required by global regulations in a limited number of hours, often immediately. Accurate diagnosis requires in-depth knowledge of legislation that varies by state, territory, and country — plus consistent compliance across the company, customer base, and partners.

In a word, no small task, even for the very best legal team. 

Unfortunately, most status quo incident response plans are unequal to that task, being far too reliant on manual processes and humans in order to scale to the magnitude of today’s privacy environment. The following five steps, however, will transform legal privacy incident response from chaos to proactive coordination.

1. Organize legal teams in advance. Determine which legal professionals are needed to prepare for and respond to every incident type, as well as the critical roles and responsibilities for each team. 

2. Understand the relationship between data and legal obligations. Contractual and regulatory obligations form the core of incident response. We recommend creating a data map to drill into data types, locations, and process flows — as well as why you record it and what the associated customer consent for data use is.
3. Architect incident-specific legal playbooks. Brainstorm common scenarios within your company and industry; then answer hyper-specific questions. When XYZ happens, what specific legal professional must notify what specific firm with precisely what information, in exactly what time frame? At what cadence should that person send updates? 

4. Practice privacy readiness and response. Excellence becomes normal when your legal team conducts tabletops and simulations on a quarterly basis.
5. Create virtuous, post-mortem legal loops. You know what they say about hindsight. After incidents occur, dissect the sequence of events to form new prevention and response plans. While legal will be drawn to lean into response, the team can create greater value by partnering with security and IT to understand proactive prevention.

>> Read this legal 101 blog to learn more.

Orchestrating Privacy with Security

Having your legal ducks in a row is a feat in and of itself, and such teams should feel proud. However, legal is just one piece of the problem. To proactively minimize regulatory risk and lay the foundation for efficient incident management, privacy and security need to work together.

Too often, security teams only contact privacy teams after an incident occurs. The ensuing confusion quickly destroys the little time available before notifying regulators, partners, and customers incurs penalties and litigation. And those substantive penalties don’t factor in longer-lasting impacts on reputation and customer trust.

But when security and privacy teams proactively integrate their incident response plans, their chances of meeting regulatory and contractual deadlines soar. The following three steps may sound eerily similar to something you recently read.

1. Create integrated response playbooks. Since some incidents call for action by both security and privacy, associated playbooks must detail integrated response. For example, an insider threat scenario would involve security tasks that include locking employee computer(s), checking logs, and sharing specific information about employee activity with the privacy team.
2. Smooth integrated response with tabletops. Coordinated simulations empower multiple teams to master coordinated incident response scenarios. Assemble all relevant teams annually for pre-identified playbook scenarios and subgroups every quarter.
3. Bolster your foundation with technology. Incident management technology maps data types to regulations, empowering security teams to quickly ascertain if incidents require legal support. Seek solutions that maintain playbooks, assign tasks, facilitate simulations and cross-functional collaboration processes, and track response efficiency.

While security excels in swift cyber defense and streamlined technical operations, privacy’s strength lies in navigating complex legal and contractual matters. Integrate the two groups’ know-how to elevate privacy incident management to a whole new level. 

>> Read this privacy and security 101 blog to learn more.

Information Technology: The final piece of the privacy incident puzzle

The incident readiness and response puzzle is not complete without the information technology (IT) team. 

If you’re a privacy or security professional, you’ll position your company for success by working closely with your Chief Information Officer (CIO) or similar head of IT. In addition to incident prevention, the CIO and IT team must be involved in privacy incident management for four reasons: 

1. Incident prevention via measures to buffer infrastructure and application vulnerabilities.
2. Cross-functional coordination to streamline incident response.
3. Protecting disruptions to team productivity that shape profitability.
4. Enhancing processes with the purchase of automation technology.

Across the board, we see industry leading teams incorporate three best practices into their privacy incident readiness and response programs, as it relates to IT.

1. Align top down. CIOs must coordinate with privacy and security leaders on objectives, processes, and roles & responsibilities of each team in incident response readiness.
2. Tailor playbooks to specific incident types. This way, playbooks will involve all standard operating procedures and will take less time while increasing competence.
3. Rehearse together. Teams should often run tabletop exercises, so they know how to respond effectively and efficiently when incidents do occur, both big and small.

>> Read this IT 101 blog to learn more.

Cross-functional privacy incident management programs are truly the bridge to thriving in the world of 21st-century business. To learn more about putting together actionable playbooks, enabling your teams with automated workflows, and protecting legal privilege through the process, demo the BreachRx platform here.