This article is part of an ongoing series on privacy program metrics and benchmarking for incident response management, brought to you by Radar, a provider of purpose-built decision-support software designed to guide users through a consistent, defensible process for incident management and risk assessment. Find earlier installments of this series here.
Measuring the efficacy of your privacy program is one way to ensure you have a baseline for improvement, as well as a means to test and prove that your continuous efforts to improve security and privacy at your organization are having their intended impacts. Establishing benchmarking metrics is also important to lend continuity to a process that can sometimes resemble a fire drill. In the midst of an unauthorized disclosure of protected, private data, your team will be moving fast and engaged in a flurry of activity in order to properly document and risk assess an incident to determine regulatory and contractual notification obligations, if any, in order to meet notification deadlines and prove compliance.
In this surge of activity, it can be helpful to break the incident management process into smaller phases to analyze. This brings us to our next benchmarking metric in this series: measuring the average timeframes for specific phases of the incident response lifecycle.
Occurred, discovered, notified
As we’ve seen in large data breaches recently covered by the media, the issue of timing can have wide impacts on your internal process, whether you are compliant with applicable regulations and public perception. It’s no longer just regulators asking when the incident occurred, when it was discovered, how long it took the organization to determine if it’s a data breach, and how long it took to notify. We’re increasingly seeing these stats reported in the media and repeated by the public.
Timelines to notify are also becoming increasingly specific in data breach notification regulations. One prominent example is the EU General Data Protection Regulation (GDPR) notification time frame: “without undue delay and, where feasible, not later than 72 hours.” This is a stark departure from some of the regulations we are accustomed to complying with in the U.S., where the patchwork of state and federal laws can vary from “in the most expeditious manner possible, without unreasonable delay” or more commonly within 30 to 45 days from breach discovery.
Analyzing the data: average timeframes in incident response
Before we begin looking at some of the timelines and breaking down the averages, it’s important to note that the metadata available for analysis within Radar reflects best practices in how incident-response management has been streamlined within privacy programs. When using automation via the Radar platform to document, risk assess, and heatmap privacy incidents, the data tends to be skewed towards shorter average timeframes, thus representing a more accelerated lifecycle than privacy programs using manual solutions and spreadsheets for incident response.
The timeframes we analyzed are anchored to three points in an incident lifecycle:
Occurrence: when the incident happened
Discovery: when the organization became aware of the incident
Notification: average date initial notification(s) were provided
Consider this lifecycle as a funnel. Despite the presumption of data breach and requirement for multi-factor risk assessment, we know that not every incident is a data breach (in fact fewer than 1 in 10 incidents are data breaches). Therefore, there will be more data available to analyze in the occurrence-to-discovery phase, while the discovery-to-notification phase will only include the incidents that represent a high risk of harm or otherwise rise to the level of a breach.
Below are the average timeframes (in days) for 18 months of incidents, January 2016 to June 2017:
Occurrence to discovery: 13.21 days
Discovery to notification: 29.1 days
One of the first things that will stick out to privacy professionals preparing to comply with the GDPR is the amount of time it takes to provide notice. Because the GDPR requires a notification time of 72 hours, this data suggests that this is no easy feat.
When we further break down this data to compare timeframes for paper versus electronic incidents, we see another interesting divergence:
- Occurrence to discovery:
○ Electronic: 6.8 days
○ Paper: 22.9 days
- Discovery to notification:
○ Electronic: 33.8 days
○ Paper: 28.1 days
Electronic incidents tend to be discovered more quickly than paper incidents, which would make sense, as many organizations have security systems that may alert privacy teams as to an unauthorized disclosure, whereas, when private data has been disclosed via paper mechanisms, it may take a while to recognize you’re missing a file or have misdirected a mailing. Conversely, electronic incidents are discovered faster, but notification is slower. This may be due to the complexity in gathering data for forensic and information-technology investigations typical to electronic incidents. More individual records tend to be exposed in electronic incidents compared to paper incidents, which could further explain the longer average notification timeframe.
The last breakdown we examined was the average timeframe by regulation, comparing incidents reportable under the Gramm-Leach-Bliley Act (GLBA) and incidents reportable under Health Insurance Portability and Accountability Act of 1996 (HIPAA):
- Occurrence to discovery:
○ GLBA: 10.4
○ HIPAA: 10.7
Discovery to notification:
○ GLBA: 15.8
○ HIPAA: 32.3
The above comparison is interesting because, though the two types of incidents are relatively close in how long it takes to discover them, on the average it takes twice as long to notify for incidents reportable under HIPAA. Although it is unclear what is behind this gap in notification timeline, one plausible reason could be that GLBA requires notification of a breach as soon as possible, while HIPAA provides for 60 days from discovery. Additionally, the gap may be rooted in factors such as volume of incidents and level of privacy resources between financial institutions and healthcare institutions.
Incident timelines and lessons to apply to your privacy program
When it comes to managing an incident, efficiency and timeliness are key components for compliance. Measuring the length of time it takes your organization to discover, document, risk assess and provide notice on a data breach will help you better identify areas that could use improvement.
Automation in incident response can help reduce time to discovery and notification in the incident-response lifecycle. Adopting a system that leverages APIs to interact with incident-detection systems and offering streamlined methods to report incidents are two good options for accelerating the time it takes to get the privacy team aware of an incident. Training employees to identify potential incidents is another way to ensure a quick response. And implementing processes or technology tools to streamline the process of documenting an incident, performing a multi-factor risk assessment, and determining which regulatory bodies and individuals may require notification brings further efficiencies to your program.
About the data used in this series: Radar ensures that the incident metadata we analyze is in compliance with the Radar privacy statement, terms of use, and customer agreements. The information extracted from the platform for purposes of statistical analysis is not identifiable to any customer or data subject.
photo credit: Visual Content Data Breach via photopin(license)