I had the great opportunity to interview Mahmood Sher-Jan about new developments in data incident response. Mahmood Sher-Jan, CHPC, is the Founder and CEO of RadarFirst, a company dedicated to applying innovation and software technology to address the growing data privacy and security challenges faced by organizations that maintain regulated personal data. He holds patents in incident management, fraud prevention, and secure identity solutions; Mahmood is the inventor of Radar, an award-winning and industry-leading incident response automation platform.
SOLOVE: What challenges prevent organizations from making timely and consistent data breach notification decisions?
SHER-JAN: When it comes to compliance with data breach notification laws that impose strict notification requirements, each incident must be risk-assessed in accordance with all of the applicable federal, state, and international laws where the entity conducts business or the affected individuals reside. The time required to handle all of these steps — incident intake, investigation, multi-factor risk assessment, legal review, notification decision, and documentation — can be extensive.
There are three main challenges preventing organizations from making timely and consistent data breach notification decisions. Firstly, privacy and compliance professionals must navigate a complex and sometimes overlapping list of applicable laws. From applicable jurisdictions to notification timelines and reporting obligations, sorting out responsibilities after an incident can be very time-consuming. Secondly, sorting through varied definitions of what constitutes personal information in different jurisdictions and risk of harm standards. And lastly, relying on manual, time-consuming, and highly subjective approaches most organizations use to perform risk of harm assessments for making notification decisions.
The on-going evolution of data protection regulations makes compliance not a one-and-done activity, but instead requires constant vigilance to keep ahead of changes. And it is this fluid regulatory landscape that challenges even the most diligent organizations and their compliance teams to ensure that internal policies and systems can meet the regulatory challenges.
SOLOVE: What do breach notification laws have in common? Where do they differentiate?
SHER-JAN: Data breach regulations are influenced by cultural, business, and political differences which are reflected in the varied definitions of “data breach” across the world.
Historically in the US, GLBA’s and states’ definitions of data breaches have been in the context of financial harm to individuals. HIPAA introduced the notion of reputational harm to patients, in addition to financial harm and other/medical harm. International regulations such as GDPR take into account additional harms such as cultural and social impact on individuals whose personal data is involved in an unauthorized disclosure.
Different industries also use different definitions of protected information. The new National Association of Insurance Commissioners (NAIC) data security model laws define breaches of personal information differently than state laws and HIPAA or GLBA. We can agree that an insurance photo of a bent car fender isn’t personal, whereas a medical image of a patient’s body should be protected.
We also see different economic and cultural priorities reflected across jurisdictions. For example, the California Consumer Privacy Act (CCPA) favors the individual, expanding the private right of action for privacy violations, whereas some other U.S. regulations prioritize business use of consumer information, allowing only state attorneys general to prosecute violations.
Experience suggests that privacy itself will continue to be a complex and evolving concept, and that complexity will continue to be reflected in data collection and protection and the regulations that corral them. New laws will update or overlay existing laws, notification deadlines will continue to shorten, and definitions of personal information will continue to expand. And even sweeping legislation won’t override all the contractual privacy and notification obligations that must be tracked and met.
SOLOVE: What risks are involved with improper or inconsistent risk assessment in incident response?
SHER-JAN: Given that the burden-of-proof falls on the organization, some organizations mistakenly believe that by reporting all incidents they are meeting their compliance obligations and mitigating risks to the business. However, the opposite is true. Failing to consistently assess the sensitivity of exposed data as well as the severity of each incident to properly determine the potential risk of harm – and thus your obligation to notify or not – is, in fact, over-reporting and can actually harm your business and even put the organizations on the radar of the regulators for extra scrutiny.
It is the incidents where the organization chooses not to notify that require the most diligence and consistency in conducting jurisdiction-specific risk of harm assessments. With years of experience, we see organizations without consistency in incident risk assessment fall into two camps. Over-reporting or under-reporting.
Over-reporting can erode the confidence that customers, patients, members, partners, and others have in your ability to protect their privacy. They may wonder just how secure your business is if you continually report breaches, even minor ones. That can cost you a lot.
Equally risky is the under-reporting of data breaches. By missing notification requirements, organizations may face significant fines and penalties. No matter how much you want to avoid reporting a breach doesn’t mean you aren’t legally responsible for doing so.
Organizations with a low volume of incidents may simply not be detecting all their incidents. But ignorance of the law is not a defense, and aside from running the risk of failing to report something that should be reported, these companies are also missing out on opportunities to identify areas for potential improvement in their data protection policies & controls and employee training to reduce future breach risks.
That being said, it is possible to determine and report only the breaches that need to be reported in accordance with regulations—nothing more, nothing less. But this requires trading existing manual and often ad-hoc incident response processes for purpose-built and intelligent incident response automation that provides decision-support to help the privacy and legal teams make consistent notification decisions.
According to Radar metadata compiled for our annual privacy incident benchmark report, across healthcare, finance, and insurance industries, Radar users who apply best practices in incident response, post incident risk mitigation, and conduct compliant automated risk of harm assessment of incidents that less than 6.4% of all data incidents required notification in 2020.
6.4%. Imagine the reputational harm done if you reported 100% of those data incidents, or the impact enforcement of a single unreported breach could have on your organization. Having a consistent and defensible risk of harm assessment process is pivotal to compliance in incident response.
SOLOVE: How can organizations prepare for handling increased regulation complexity?
SHER-JAN: To prepare for compliance with the increased regulatory complexity, organizations should operationalize their incident response management processes. Streamlining incident detection, escalation, automating risk assessment, and maintaining a real-time view of changing domestic and evolving international regulations will help ensure compliance.
More intelligent automation and efficiency in incident response also frees up limited privacy and legal resources to support other business functions as demands on privacy expertise continue to grow across all organizations that provide products and services that capture, process, and maintain sensitive consumer data.
The bottom line is this: given the competing priorities and motivations of the parties involved, standardized privacy regulation will remain elusive. But even if that unlikely day comes, time and money spent creating efficiency will never be wasted.
SOLOVE: What metrics should privacy leaders look for to drive change and report program improvement?
SHER-JAN: For many privacy teams, identifying metrics that have a meaningful business impact can be a challenge. The first step is to identify privacy metrics that can be tied directly to organizational risk mitigation and demonstrate ROI. The second step is to view privacy reporting as program maturity. Beyond ROI, what business impact can you measure?
To accurately display impact to C-suite, it may help privacy teams to group the ROI benefits into three high-level strategic objectives: saving time and costs, reducing risk, and building trust.
Incorporating a consistent, defensible incident risk assessment process will ensure consistency and accuracy, accelerate the decision-making process, and eliminate the risk of over- and under-notifying. We provide an annual privacy incident benchmarking report to help organizations leverage industry benchmarks and identify inefficiencies to improve their own processes.
Incident response may sound like a reactive, slow-to-move facet of business. But we believe by operationalizing privacy and compliance leaders with efficient incident response processes, they can become leaders for reducing risk and driving ROI across organizations.
SOLOVE: Thank you, Mahmood, for your thoughtful insights about incident response. Mahmood is Founder and CEO of RadarFirst, For those wanting more information, here are three useful resources:
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and data security training. He also posts at his blog at LinkedIn, which has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum an annual event designed for seasoned professionals.
A new children’s book about privacy by Daniel Solove