PRIVACY INSIGHT SERIES Summer / Fall 2018 Webinar Program
Data Breach Management – Requirements and Best Practices 19 September 2018
© 2018 TrustArc Inc Proprietary and Confidential Information
Today’s Speakers Travis Cannon Director of Partnerships RADAR
Deborah Cook Wells Senior Privacy Consultant TrustArc
2
Privacy Insight Series - trustarc.com/insightseries
© 2018 TrustArc Inc
Today’s Agenda
• Welcome & Introductions • Regulatory Overview • Creating an Effective Breach Management Program • Benchmarking • Creating the Right Culture • Recommendations – Next Steps • Questions 3
Privacy Insight Series - trustarc.com/insightseries
© 2018 TrustArc Inc
PRIVACY INSIGHT SERIES Summer / Fall 2018 Webinar Program
Thanks for your interest in our webinar slides! Click here to watch the on-demand recording.
4
Š 2018 TrustArc Inc Proprietary and Confidential Information
PRIVACY INSIGHT SERIES Summer / Fall 2018 Webinar Program
Regulatory Overview
5
© 2018 TrustArc Inc Proprietary and Confidential Information
Poll
6
Privacy Insight Series - trustarc.com/insightseries
Š 2018 TrustArc Inc
Growing breach regulations in U.S. & around the globe Regulatory complexity continues for privacy professionals in the United States and across the globe: •
•
2018: New or amended breach notification legislation has gone into effect in 9 states year-to-date with 2 additional bills going into effect by the end of the year. Trends • • •
Expanded scope of personal information Required notification to the state AG Specific timeline (30 - 45 days) for notifications
•
Consumers are more aware of their privacy rights: • • •
7
Consumer complaints in the EU rose by 14.5% ICO received 46K more calls than the previous year – a 24.1% increase. Number of live chats rose by 61.5%
Privacy Insight Series - trustarc.com/insightseries
© 2018 TrustArc Inc
PRIVACY INSIGHT SERIES Summer / Fall 2018 Webinar Program
A Successful Data Breach Management Program
8
© 2018 TrustArc Inc Proprietary and Confidential Information
Poll
9
Privacy Insight Series - trustarc.com/insightseries
Š 2018 TrustArc Inc
Lifecycle of an event Someone does/sees something
Privacy Team Receives the
Event
Privacy Team performs
Initial Review
Privacy Team determines Event is an
Incident
Privacy Team and SME perform Risk
Privacy Team determines if
and Regulatory Assessment
(notification needed)
Breach
Notification performed
Reporting and remediation
• An Event is reported by employees or vendors when something looks suspicious • After Initial Review by the Privacy Team, the Event is determined to: • Become an Incident (possible breach, needing more review) • Stay an Event (kept in reporting, no further work required) • If determined an Incident, SMEs are included in Risk and Regulatory Assessment • A Breach is a compromise to the integrity of systems or unauthorized access or disclosure of personal data, which requires notification to regulators or consumers • If a Breach, notification takes place • Management Reporting executed, Remediation plans built and executed 10
Privacy Insight Series - trustarc.com/insightseries
© 2018 TrustArc Inc
Building an efficient & effective incident response program
Hallmarks of the people/human element of your incident response program • A trained, observant workforce • Strong vendor management oversight • Dedicated Privacy Team • Close ties with IT (DPIA and PIA, DLP etc) • Selected SMEs in each business process
11
Privacy Insight Series - trustarc.com/insightseries
© 2018 TrustArc Inc
Building an efficient & effective incident response program Operationalizing your incident response program in 5 steps:
1. Streamlined incident escalation to privacy team 2. Multi-factor incident risk assessment 3. Notification content & timeline 4. Real-time reports and trend analysis 5. Staying current with changing regulations 12
Privacy Insight Series - trustarc.com/insightseries
Š 2018 TrustArc Inc
Hallmarks of a Successful Breach Investigation • Event researched to quickly determine: – – – – –
Data elements involved Systems involved Consumers involved Risk of harm determined Regulatory requirements identified
• Escalation properly performed – SMEs involved – Correct level of management involved
• Timely notification provided – Clear, concise, and in required format
• Documents captured and stored • Accurate reporting and useful remediation performed 13
Privacy Insight Series - trustarc.com/insightseries
© 2018 TrustArc Inc
PRIVACY INSIGHT SERIES Summer / Fall 2018 Webinar Program
Benchmarking Insights
14
© 2018 TrustArc Inc Proprietary and Confidential Information
Poll
15
Privacy Insight Series - trustarc.com/insightseries
Š 2018 TrustArc Inc
Incident benchmarking data
18.4% of privacy events in 2017 rose to the level of a breach (13.86% in the first half of 2018)
• However, every incident matters. • Even though only one in 10 incidents is actually a notifiable breach, it is still critical to assess every incident. • By documenting and assessing every incident, every time, your organization will have complete documentation of each incident, as well as a record of every aspect of your decision as you conduct incident assessments, even for incidents that clearly fall outside of regulatory requirements.
16
Privacy Insight Series - trustarc.com/insightseries
© 2018 TrustArc Inc
Dashboards
• Accurate reporting usually includes: – Activity Numbers • Events reported – By which Business Process Team
• Incidents researched – By type (whatever is applicable to your industry, company)
• Breaches • Notifications – By type (Regulator, Consumer)
– – – –
17
Timeliness Numbers Updates on remediation efforts Progress against KPIs, KRIs, LRIs Actionable information is best
Privacy Insight Series - trustarc.com/insightseries
© 2018 TrustArc Inc
PRIVACY INSIGHT SERIES Summer / Fall 2018 Webinar Program
Creating the Right Culture
18
© 2018 TrustArc Inc Proprietary and Confidential Information
Poll
19
Privacy Insight Series - trustarc.com/insightseries
Š 2018 TrustArc Inc
Hallmarks of a Good Data Incident Culture • There is an increasing number of Events reported to the Privacy Team • There is a slowly decreasing number of ‘bad’ Events reported to the Privacy Team • SMEs are willing to participate in Risk and Regulatory Assessments, and use the knowledge they gain to make changes to processes and procedures • Notifications are made timely • Senior Management is comfortable with escalations and reporting
20
Privacy Insight Series - trustarc.com/insightseries
© 2018 TrustArc Inc
PRIVACY INSIGHT SERIES Summer / Fall 2018 Webinar Program
Recommendations – next steps
21
© 2018 TrustArc Inc Proprietary and Confidential Information
Things to think about – The Basics • Do you have Policy in place to address Privacy Breaches? • Has your workforce been trained? • Do you have a project plan, templates, escalation plans in place? • Have you run a simulated data breach? • Does your senior management know Data Breach is part of your total Privacy Program?
Graphic Source: IAPP: SecureIntel
22
Privacy Insight Series - trustarc.com/insightseries
© 2018 TrustArc Inc
Simulated breach and lessons learned • Andrea Jelinek, Chair of the EDPB (formerly Art 29 WP) suggests one of her biggest recommendations around breach is to prepare internally by doing a simulation exercise – Mock table tops i.e. planting a fake breach and either letting the teams know (or not) to see how they respond – Most likely cause of breach is human error. Make sure your workforce is your biggest asset, not your greatest risk
• A second recommendation is to prepare internally by regularly performing a lessons learned exercise. – Review your larger or more troublesome incidents • Look at root causes, systems impacted, data involved, consumers • Review timeliness of initial notification, responses, escalation path, feedback from consumers, remediation 23
Privacy Insight Series - trustarc.com/insightseries
© 2018 TrustArc Inc
PRIVACY INSIGHT SERIES Summer / Fall 2018 Webinar Program
Thanks for your interest in our webinar slides! Click here to watch the on-demand recording.
24
Š 2018 TrustArc Inc Proprietary and Confidential Information
PRIVACY INSIGHT SERIES Summer / Fall 2018 Webinar Program
Questions?
25
© 2018 TrustArc Inc Proprietary and Confidential Information
PRIVACY INSIGHT SERIES Summer / Fall 2018 Webinar Program
Contacts Travis Cannon Deborah Cook Wells
26
travis@radarfirst.com dwells@trustarc.com
Š 2018 TrustArc Inc Proprietary and Confidential Information
PRIVACY INSIGHT SERIES Summer / Fall 2018 Webinar Program
Thank You! Register now for the next webinar in our 2018 Summer / Fall Webinar Series “ePrivacy Regulation - What to Expect and How to Prepare” and is due to take place on October 24, 2018. See http://www.trustarc.com/insightseries for the 2018 Privacy Insight Series and past webinar recordings. 27
© 2018 TrustArc Inc Proprietary and Confidential Information