Essentials for Building a Scalable Privacy Response Strategy. Jay Loder Rouleur Privacy Consulting

Transcription

1 Essentials for Building a Scalable Privacy Response Strategy Jay Loder Rouleur Privacy Consulting

2 Introduction Customers want organizations to take responsibility and protect them from the potential consequences of privacy breaches Once a breach happens the impact can weaken customer trust and brand loyalty Customers, Boards of Directors, and oversight agencies want to know what organizations are doing to protect them from the consequences of privacy breaches

3 Breach? Incident? Terms are often used interchangeably A privacy breach is defined in the Generally Accepted Privacy Principles ("GAPP") as having occurred when personal information is collected, retained, accessed, used, or disclosed in ways that are not in accordance with the provisions of the enterprise's policies, applicable privacy laws, or regulations. May be one or a series of events

4 Breach Response Without a Breach Response Strategy, organizations have risks associated with loss of customer trust, liability to injured parties, harm to the organization's reputation, drops in stock value and lost business Breach response is the creation and execution of a strategy an organization has created to address and mitigate the impact of a breach. Elements include: A strategy to investigate the breach, notify affected individuals, meet legal requirements in a prompt and thorough manner identify and addressing system backup/recovery and business continuity A response plan can range from simple to complicated and should be scalable as to accommodate the growth and evolution of the organization

5 Questions Organizations Should Ask About Privacy Breach Management/Strategy Has the organization designated someone the responsibility and clear authority to oversee privacy breach handling? Do you have a Team with broad representation? Do you have an breach response plan is someone available 24/7 hackers (and your staff) may be working after hours and weekends! Has the organization established policies/procedures to meet it s obligations to it s customers/clients? To Regulators? To oversight or governing authorities? Has the organization considered the value added services available from an independent Practioner to test/verify the Policies and Plans? Does the organization monitor and report incidents/breaches? Does the organization know the cost of it s privacy incidents/breaches - and thus able to determine ROI on investment in staff training/awareness/prevention? Have you reached out to Regulators (and law enforcement) where possible or appropriate? And when you have a breach to report, it s better they hear it from you first a brief courtesy call or goes a long way.

6 True or False Small Businesses Aren't in Danger Some cybercriminals prey upon small businesses because their lack of proper security measures make them easier targets. Threats are limited to Outside the Organization Much of the risk behind data breaches are internal - A recent study by the Ponemon Institute found that 81 percent of small businesses suffered data breaches as a result of employees mishandling sensitive information. Why? Vendors/Third Parties Are Not a Threat Vendors and third parties may have access to your customer and employee data. Businesses shouldn't trust their vendors to do the appropriate due diligence for them, having contractual obligations in place to deal with a breach before it happens makes good business sense.

7 Setting Yourself up for Success Identify accountabilities who s accountable for the policy/procedures who s accountable for processes Be familiar with the international, domestic and local regulations that specifically relate to your organization. The failure to notify the appropriate regulator/oversight body can result in further inquiries, embarrassment and sanctions or fines. Perform a gap analysis of current policies and procedures Identify and implement improvements

8 Plan to be Prepared Even quality strategic plans are won t succeed if they are not effectively implemented and tested. The ultimate success or failure of employing a plan often lies in it s execution. Given the unique circumstances of each organization, there is no single implementation model. Each organization must determine its own appropriate plan and execution methodology. In early stages, executing a plan may be unknown territory. Accordingly, be prepared to modify the plan as the implementation unfolds, full implementation of a strategy may require several cycles over multiple years. Success will depend on committed leadership, planning and direct involvement by both operational and senior management Keep it simple, get started, build momentum!

9 Make Friends with Corporate Risk Management Organizations large and small have risks - financial, competitive, etc. Thinking of privacy risks in the same context makes good corporate governance sense Ensuing your organization has an incident management plan is key to managing privacy risks, supporting good corporate management and building customer trust Corporate Risk Management can be an ally!

10 Risks and Breach Management Data is the lifeblood of an organizations, managing data involves risks. Balancing risk and reward to generate returns to shareholders is fundamental to any business. Your approach to risk it s important to understand what is meant by risk capacity, risk tolerance and risk appetite. Think about these concepts as a hierarchy. Risk capacity defines the outer limit of risk that an organization could undertake. Risk tolerance reflects the limit of risk set by the organization that it would not willingly exceed Risk appetite is the level of risk that the organization is willing to accept in pursuit of its longer-term goals Your breach management strategy needs to relate to your risk management strategy and consider the risk hierarchy. Consider how handling privacy incidents relates to your broader risk strategy.

11 Incident Management Initial Assessment, Confirmation, Containment Full assessment including risks Notification affected parties Notification to Regulators, Oversights Mitigation, Prevention, Learnings, Communications

12 Incident Response Planning Know where and what your data is - helps to speed determination whether a compromised system holds personal information Identify a team commensurate with the size of the organization Identify what incidents fall within the response plan all incidents? Only those above a certain threshold ( e.g. a single misdirected letter?) If expertise is not available in house have you identified key external contacts who can assist? Team should operate under a documented process and communication plan Roles defined in particular who is on lead Responsibilities defined Response strategies defined

13 Breach Planning Reality Check We all know personal information has become a criminal commodity but Consider your risk appetite and resources can you respond to every misdirected piece of mail?

14 Those who do not document their history are doomed to repeat it Strategy should be documented, along with revisions Policy/procedures should be documented Incidents must be documented evidence chain cost analysis trending Process (and outcome) for testing the Strategy should be documented

15 What we Got Here is Failure to Communicate A well planned (and-executed) communications plan can: minimize harm to customers/clients minimize (or at least determine) potential legal consequences mitigate harm to a company s reputation Anticipate critical audiences and applicable laws Notification - before notifying it s helpful to understand your customer (e.g. geographic region, demographics) and tailor the message Knowing what to say is just as important as knowing what NOT to say

16 Who Needs to Know External - Customers Internal - Stakeholders Media Law Enforcement External Counsel Oversight regulators, governing bodies

17 Notification Have a Plan More complicated than simply letting the affected customer/client know their information may be lost or compromised. Potential external recipients of notification Customer/client law enforcement (breach result of criminal activity, potential harm to an individual or organization) Regulators, Professional bodies Shareholders, investors Contractual parties including third parties, insurers Technology supplier (breach due to technical failure) Potential internal recipients of notification Media relations, Marketing, HR employee misconduct

18 Notification Be Prepared Forms of notification include written, phone, or in some circumstances substitute Find the sweet spot - delays in notification may result in loss of customer trust and potential legal action but notification sent to hastily may be incorrect, incomplete or even unnecessary Where possible have notification templates in place

19 Summary - Top 5 Incident Plan Shortcomings Info security and privacy teams often develop siloed incident strategies Organizations do not test their incident management strategies and plans Lack of internal stakeholder support Lack of clarity regarding roles and responsibilities Lack of a clear (and nimble) plan on communicating internally, to customers, oversights, the media and social media (twitter, bloggers, etc.)

20 Final Thoughts Effective oversight of privacy risk requires rigour, objectivity, and the recognition that unforeseen events and circumstances can and often do occur Progressive organizations will be mindful that it is seldom a single issue or event that spells disaster but rather several factors occurring simultaneously Leaders of progressive organizations should have the conviction, discipline, and enlightenment to understand the value in planning for the inevitable Above all - get started, there are lot s of tools, templates, support available!

21 Sample Forms, Checklists The Canadian government has a concise checklist for responding to a privacy breach. They stress it is prudent to have a set of protocols on what to do if breach occurs. A similar, though less detailed, checklist is also provided by the US Federal Trade Commission (FTC) checklist.pdf

22 Resources IAPP publications Regulators Nymity.com excellent resources on breach response, breach management Service Providers

23 Questions?

24 Rouleur Privacy Consulting Rouleur Privacy Consulting Ltd. is a Vancouver Canada based organization that provides consulting services - privacy program development and strategy privacy risk assessments privacy maturity models awareness and training privacy incident response Contact - Jay@rouleurconsulting.com