Facebook, Equifax fines show privacy favors the prepared
Recent events provide a teachable moment for privacy programs and highlight the importance of being prepared should a breach occur.
Facebook was fined $5 billion for its handling of users’ personal data and ordered to add oversight to its data practices. Equifax agreed to pay $700 million to settle investigations into the 2017 hack that exposed the personal data of millions. British Airways and Marriott received over $300 million in GDPR fines. All of this has happened in July.
To ensure privacy regulations don’t slap your organization with a hefty fine for a data breach, revisit your procedures for managing a privacy incident. Chances are, your company has an incident response plan, but is it ready for a privacy incident? Here are five tips:
Test policies and procedures
Have you tested your policies and procedures around a privacy incident? Dry runs that involve all stakeholders (legal, human resources, public relations, customer service, security, IT, third parties and executive staff) lead to learnings that can help prevent privacy incidents, limit their impact and accelerate response times.
Review incident detection processes
Which department is responsible for detecting malicious activity such as a cybercrime involving customer data? Who identifies and reports it as an incident? Review the critical junctures where communications and handoffs occur. For example, organizations that comply with HIPAA will find familiarity in privacy requirements. For other businesses, privacy’s rules will be new.
Check internal/external communications
Privacy data breaches impact operations and expand outward as bad news travels fast. You will need customer service and public relations’ assistance to proactively manage the fallout. The goal is also to prevent further damage and arm leadership with hard facts they can use to make decisions. All the above require communications.
Assess recovery efforts
After a privacy incident, it’s time to investigate and follow-through on findings. Are you prepared to complete a forensic analysis to determine the origin of the data breach? Are recovery processes effective or could they lead to additional violations? Can you restore data with backups? Update policies, procedures and processes as necessary. Make any changes to prevent the same incident repeating.
Ongoing assessments and continuous monitoring
You need a game plan going forward after a privacy data breach. That’s where ongoing assessments and monitoring come in. Assess third parties and processes that handle customer data to better understand the risk level of an incident and make corrections. Rely on continuous monitoring to bridge the gap between assessments and allow time for proactive steps.
Most incident response plans fail because of a lack of testing, outdated procedures, weaknesses in the plan, or a failure to do forensic analysis. These five tips help address incidents involving privacy.
Privacy presents a different challenge. A privacy incident affects customers and often involves third parties, not to mention spreads socially and attracts the media. You need to be proactive, not just reactive, inside and outside of the organization.
Like it or not, privacy regulations are sweeping across the world. The sooner you adapt and prepare for compliance and incidents, the more likely you’ll avoid fines and reputational damage. You’ll be a leader in managing customer data and protecting customers’ privacy.
Learn about CIS’s first five controls and examine what each control addresses.
Learn about the constant vigilance of continuous security monitoring.
Learn about SecOps and how it protects against the challenges of cybercrime.