TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | On making breach determination a team effort Related reading: What to do when ransomware holds your business hostage



This is part three of a three-part series on incident response management. Find part one, on building an incident-response team, here. Find part two on how to tell if an incident is a breach here.

Privacy and information-security often live in their own silos, an impractical separation that can place both an organization and its customers at risk from a data breach. This risk occurs when a security incident — say, a malware attack that exposes customer information — is remediated without undergoing a proper risk-assessment to determine if it includes regulated data and thus could be a reportable breach.

Even if the malware is removed, the customer data is still out there, possibly in the hands of criminals who may sell or misuse it. Without a proper risk assessment to determine if the incident is a data breach requiring notification, your organization could face regulatory sanctions, fines, and reputation-damage; classic data breach risks. You may be wondering:

  • Do I have a process for conducting a risk assessment for each incident against all applicable federal and state breach laws?
  • Does my process for managing security incidents stand up to the legal litmus test of being repeatable and consistent — a regulatory requirement for many industries?
  • Do I consider the legal definition of “data breach” as per state and federal regulations when I assess an incident?
  • Would this process withstand a regulatory investigation?

In order to answer yesto these questions and effectively mitigate breach risks, you must break down the silos between privacy and security. Only then can you make breach determination a cooperative effort.

Start with security

Once an event is discovered, the details are normally captured and evaluated by the information security team to determine if it poses an adverse affect — that is, if the event should be up-leveled to a security incident. This includes completing a root-cause analysis, performing remediation, and then documenting the facts of the event, such as:

  • The source of the event;
  • The level and risk of exposure;
  • The nature of the personal data potentially exposed, and whether any protections (such as encryption) were in place;
  • The number of potentially impacted individuals;
  • Remediation steps taken to contain the incident and limit exposure risks;
  • Is the event ongoing or static?, and
  • Malicious/non-malicious intent.

If information security determines the event is indeed a security incident, then it must undergo a risk assessment to see if it’s a data breach that requires notification. That’s where privacy comes in. 

Privacy takes over

The security team provides valuable information about an incident that requires analysis by the privacy or compliance team. This analysis comes in the form of a multi-factor risk assessment, and requires such information as:

  • The nature and severity of the incident;
  • The type and sensitivity of the regulated data that was impacted;
  • Remediation steps that may lower the risks of data disclosure or acquisition,
  • Whether the incident qualifies for any exemptions, such as if the data was encrypted.

Only with extensive and consistent input from information-security can the privacy or compliance team assess the facts of the incident against applicable state and federal laws and decide if the incident is actually a breach. Using incomplete or inaccurate information about a security incident for the risk assessment can lead to an incorrect breach determination and response that puts an organization at risk for regulatory action and reputational damage. Clearly, information-security’s role in incident risk assessment can help make the difference between good and bad business decisions.

Privacy and security: Better together

Fostering cooperation where separation used to exist is difficult. Privacy and security teams have their own priorities and budgets, which may viewed as competitive rather than cooperative. But, as we’ve said, it’s this limited perspective that increases data breach risks.

To encourage privacy and security to work together, organizations must simplify their approach for managing incident response. That means automating the different phases of incident response management, especially the risk assessment,  allowing both privacy and security to play their role in protecting customer information against the growing threats of data breaches. 


If you want to comment on this post, you need to login.