Benefitting from a privacy breach first requires recognizing that failure breeds opportunity for organizational change and growth. Growth from an organizational failure, like all growth, requires planting the right seeds at the right time and in the right environment.
Similar to business continuity or disaster recovery, breach preparedness is difficult to calculate the importance of until you need it. This makes it more susceptible to receiving less organizational focus or financial backing, especially during times of fiscal restraint. Organizationally, it can be difficult to invest in the “what ifs." But when those “what ifs” become “oh nos,” there is an opportunity to change this, if the privacy professional seizes it. A privacy breach can actually benefit an organization by transforming an “oh-no” moment into a calculated opportunity for improvement and positive organizational change.
Benefitting from a privacy breach first requires recognizing that failure breeds opportunity for organizational change and growth. Growth from an organizational failure, like all growth, requires planting the right seeds at the right time and in the right environment. In the very early days of a breach, the focus is usually on containment followed by investigation and notification of the affected individuals. The initial mood is often one of panic and high stress. This is not the time to reflect on current funding, focus or commitment to breach management. Once the breach is contained, notification is underway and an initial preliminary incident report completed, the initial panic should have subsided. This is likely the best time for a discussion about the management of future incidents.
As an organization tends to its wounds from a breach incident, it is important to reflect on what functioned well and what didn’t once the breach response protocol was initiated. Often referred to as a breach incident response review or a post incident assessment, this tool will provide a good overview of the steps the organization took to manage the incident. It is important to look at all aspects of the organizational response. At a minimum this should include:
- Staffing and resourcing the incident;
- Containment – timing, processes;
- C-suite commitment – sign off, allocation of resources;
- Clarity of roles – response team and others, and
- Notification process – individuals, regulatory bodies etc.
The list cited above is meant to be a starting point for the post incident assessment for your organization. It is not intended to be exhaustive and your organization may have other aspects of your response that are significant or require a careful examination.
It is important to compile this assessment into a simple, easy-to-read document or slide deck that highlights key findings, especially those areas where improvements need to be made. This will enable a quick turnaround for the assessment which will allow you to continue to work within the right time window, and second it will empower you with the key selling points for the next stage in the process which is auctioning the renewed focus on breach management.
Renewing funding, commitment and focus
Experiencing a privacy breach can act as a turning point for an organization, if the post incident organizational clean-up is managed in the right way and with the right timing. Once the privacy professional has completed this assessment, it is time to act. In most organizations and with most breach incidents, if more than three months have passed since the incident, the organization has probably waited too long. Management’s attention to the incident has been brushed aside by other, new priorities and issues of the day. But if the assessment is completed within that window, it is likely that enough organizational memory exists to still benefit from the incident. There are three main objectives for breach management change after a breach incident;
- Renew funding
- Renew focus
- Renew commitment
In order to accomplish these objectives, decision-makers in the organization understand the connection between the findings in your post incident assessment and each of these goals.
For some organizations this goal will be the easiest to accomplish. Decision makers, scared from the recent breach, may be more willing to sign a check to make sure similar incidents do not happen. Others, facing fiscal restraint may find this the most difficult goal. This is especially true when breaches are large in scale and have significant financial consequences.
Assuming the decision-makers have a finite amount of money to distribute to internal projects and ventures, the privacy professional are case must be clear, concise and based on evidence. The recent evidence of the breach incident can provide real value that’s timely and relevant to any financial requests. Include any documentation you have regarding media attention, staff, customer or client concerns or comments from industry partners to help build the case. The organization needs to demonstrate its commitment to privacy to its stakeholders, clients and staff, after an incident. Using the post-breach assessment, you can implement specific improvements to the breach-management process based on the evidence gathered. This will likely require financial resources and the freshness of the situation makes this the right time to ask for the financial boost to update your breach processes.
Only in extreme situations of organizational malaise would the internal privacy team not receive attention after a breach incident. This often sudden attention is a natural outcome and it is unlikely the enhanced focus will be all positive. So you have their attention, the key is to focus that attention on the breach management process. Discussions regarding the organizational benefits of faster reaction times, sign-offs and earlier notification are all important drivers in retaining and aligning that focus with your breach-management process. Depending on the specific breach incident, this may also be a good time to introduce new commitments from staff as well as enhanced privacy training. Use the focus to discuss the facts of the incident but the main driver should be how to improve internal process.
Finally using a breach incident as an opportunity to renew your organizations leadership’s commitment to privacy protection can prove an extremely effective tool for fulfilling the needs and wants expressed in the first two goals. Suggesting strong communications internally and externally focused will set a tone from the top understanding of the importance of privacy within the organization. A clear, concise message to external parties will not only increase trust with industry partners, it will also serve as a reminder of why internal privacy obligations need to be met.
Privacy breaches can serve as an opportunity to create change to an organization’s overall approach to privacy, especially the breach management process. Using this approach will help guide your organization to recover from future incidents and will help the organization to redeem itself in the eyes of stakeholders, clients and staff. Most importantly it will give the privacy professional an opportunity to update, adapt and refresh the organizational breach management process.
photo credit: IMG_0296-4 via photopin (license)
If you want to comment on this post, you need to login.