Navigating the Breach Regulatory Maze: Proper Incident Risk Assessment and Response
4 min read
Cyber attacks. Lost paper files. Third-party snafus. Misdirected emails. Endless are the ways in which sensitive personal information is accidentally or deliberately exposed. Despite best efforts, it is impossible to stop sensitive data from falling into the wrong hands.
According to a new report, Risk Based Security identified 3,930 data breaches reported during 2015, exposing more than 736 million records. Poorly managed, these data security and privacy breaches put organizations at high risk for regulatory fines, lawsuits, lost business and reputational harm. In addition, customers, patients and employees affected by the exposure of their sensitive information fall prey to identity theft and other forms of fraud.
The Challenges of Incident Risk Assessment
No incident is alike. The types and sensitivity of data exposed, the root cause of the incident, the nature and intent of the recipient of the exposed data—these and other variables make consistency of incident risk assessment a difficult challenge for privacy, compliance and risk professionals.
For example, the Risk Based Security report found that:
- Hacking accounted for 64.6 percent of breaches and 58.7 percent of exposed records.
- Nearly half of breaches involved passwords and more than 45 percent exposed email addresses.
- The breaches reported covered more than a dozen industry sectors, from technology to government to retail to healthcare.
In addition to incident variability, data breach laws are a maze of growing complexity and ambiguity. There are 51 state and territory breach notification laws that have different definitions of personal information, allow varying exceptions and have different requirements regarding notification thresholds, content and timing. And these laws are rapidly changing and getting stricter: In 2015 and the first part of 2016, 10 states enacted new addendums or breach laws. Adding to the complexity is a plethora of federal regulations and standards—HIPAA, GLBA and PCI to name a few—as well as international laws and the long awaited European Union’s General Data Protection Regulation (GDPR).
The primary struggle for privacy and compliance professionals is lack of consistency given the manual and highly subjective methods of conducting the required multifactor risk assessments. This is understandable, given the challenge of assessing the unique nature of each incident against this backdrop of complex breach notification regulations and lack of purpose-built and automated incident risk assessment tools. And if such a homegrown tool is developed, many organizations find it doesn’t scale, it can’t keep up with the changing regulations and is difficult to use.
Four Steps to Successful Incident Risk Assessment and Response
In order to reduce the risks from unavoidable privacy or security incidents, organizations need an automated and highly consistent process for incident risk assessment. This process must allow each unique incident to be assessed with the latest updates to breach notification laws. To help you accomplish this, consider these four tips:
- Understand the difference between an event, an incident and a breach. These terms are often used synonymously or incorrectly, but important distinctions exist. For example, an incident is an event that violates an organization’s security or privacy policies involving sensitive information. A breach, on the other hand, is an incident that meets the legal definition of a breach and requires notification to affected individuals.
- Develop a scalable process for reporting incidents. Timely and efficient reporting of suspected incidents by employees, customers and third-party entities is critical for implementing a successful incident response process. Use web forms to efficiently and securely capture incident information and to automatically route the information to the appropriate professionals for investigation and incident risk assessment.
- Automate data breach risk assessment. Given the short time line for notifications based on a multifactor incident risk assessment, you need a system that is agile and provides a multifactor risk assessment based on the latest in breach notification laws across all jurisdictions where you have regulatory obligation.
- Track trends in incident categories and root causes. Learn from your incidents. Accurately identifying weaknesses in your systems, departments or processes can reduce the number of incidents and your organizational risk. Automation is key to ensuring proper analysis and risk mitigation.
Organizations can ill afford to underestimate the importance of consistent incident risk assessment and response. Done right, this process provides a road map for successfully responding to potential breaches, meeting regulatory requirements and protecting the people who trust us with their most confidential information.
Join Mahmood Sher-Jan at ISACA’s North America CACS in New Orleans 2-4 May. Sher-Jan will present Navigating the Data Breach Regulatory Maze (session 234/Privacy Track) in depth on Tuesday, May 3.
Mahmood Sher-Jan, CEO, RADAR® business unit, ID Experts
[ISACA Now Blog]
English