The dangers of data breach make for great headlines: data held for ransom, financial fraud, and medical identity theft, to name a few. But despite the many risks of data breach, from a business standpoint, the most immediate threat in most security incidents is failure to comply with regulatory requirements. The vast majority of security incidents don’t turn into data breaches, and not all breaches result in theft or other damages. But failure to report or meet other regulatory requirements can result in stiff penalties regardless. Therefore, incident response processes should be organized not only to address data security but also how best to determine whether an incident is a notifiable breach.
It takes a combination of specialties to handle a data security incident in a way that fully protects the organization. Assessing whether a data breach has occurred or not requires both data security and compliance expertise. Unfortunately, in most businesses, the information security, privacy, compliance and other organizations don’t work together fluidly to respond to an incident, leaving the organization vulnerable on the compliance front. A highly effective organization will define parallel paths for incident response very early in the discovery process. This not only enables accurate assessment of the incident from both the information security, compliance, and risk standpoints, it also positions each functional team to provide effective response and risk management throughout the entire lifecycle of the incident, whether or not it is determined to be a breach.
There are some immediate actions that privacy and IT/information security can take together to close the compliance gap. Since the IT/information security team is, by definition, the first responder to a data security event, the first step is to change their policies and operating procedures so that every incident is assessed not only from the security side but also from the compliance viewpoint. There should be:
- A policy to notify the privacy/compliance team as soon as an event is suspected to be an incident, so they can begin a parallel evaluation into the pertinent compliance requirements.
- A procedure for promptly and visibly notifying the compliance team and other potential stakeholders. (There must be no risk of a notification getting lost in someone’s email inbox).
- A vehicle for documenting and handing off all of the information needed for the compliance evaluation: What data was touched, how much, whose, etc.? (This will also save time in the compliance process if notification turns out to be necessary.)
Catamaran, a company that provides pharmacy benefits management services to healthcare organizations, functions as both a HIPAA covered entity and as a business associate. When Catamaran implemented incident management software and trained its staff in risk-based incident response, the number of reported incidents went up because the software automates the process of evaluating incidents against the whole matrix of current state and federal regulations. Catamaran discusses its approach in a recent webinar, Bringing Incident Response & Breach Management Out of the Dark Ages.
The focus on thriller-worthy cyber-security threats can distract from the day-to-day, yet critical needs of compliance and risk management. It can also divert funding and organizational clout from foundational privacy and security hygiene, and many organizations are beginning to integrate privacy/compliance and information security to ensure better collaboration and a focus on more than just technology. Security blogger Matt Kelly recently compared this more integrated approach to preparing for a heart attack: “You can go through life equipped with tools to reduce that risk, such as a defibrillator, and it will indeed help when the time comes. Or you can improve your process of being healthy: eating right and exercising. Neither one of those procedures will assure that you never have a heart attack—but they will help you immensely in staying alive should a heart attack come to pass.”