Author: Glenn A. Stout, Ph.D, PMP
Your organization just experienced a data security incident. All of the data that was entrusted to your organization to be kept safe is now “out there” on the Internet. Your organization doesn’t have an incident response plan. Who do you call? When should you call? What information needs to be reported?
Many organizations are under the false belief that their organization is not a target for a data breach (they’re too small, they don’t store PII…) and they fail to devise a simple incident response plan. When an incident response plan is instituted, it provides a roadmap to follow in the event of a security incident. Through the incident response planning process, organizations understand and clearly document the obligations set forth in any contracts, regulations, or statutes.
When incident response planning is done correctly, companies already know the answers to important questions prior to an incident:
- What qualifies as a security incident?
- When do I call?
- Who do I call?
- What information will I need to report?
- Who in my organization should be involved?
Organization’s that engage with third-party entities often develop contracts that care for the storage and processing of sensitive data. A key component of these contracts often involves provisions for how sensitive data is to be managed. Likewise, these contracts will often detail the obligations for protecting data, and notification requirements if the data is breached. The requirements are vital to understand when drafting an incident response plan.
More often than not, contracts are often not shared with the security or IT departments. They frequently end up forgotten in a file cabinet or on a file share. In the event of a security incident, IT and security departments scramble to locate contracts in order to understand their obligations. This lack of planning can lead to non-compliance with contractual agreements and general mayhem.
Organizations may also have obligations other than third-party contracts, such as those to employees or patients (in the case of healthcare). If employee or patient data is compromised via the payroll system, HR records, hospital/medical records and the like, the offending organization must know what their obligations are to notify employees or patients of a data breach.
Process to Identify Obligations
The following chart outlines the process that organizations should follow to understand their obligations, whether it’s to customers, clients, patients, employees, etc.
Step 1: Data Collection Phase
Review contracts, regulations, and statutes to document the actual facts about the obligations.
- Get access to all contracts that have to do with business relationships, where the organization maintains data from third-party partnerships – OR – where third-party partners maintain the organization’s data.
- Identify the types of data being housed in the organization’s systems such as Personally Identifiable Information (PII), Protected Health Information (PHI), etc. This includes customer, employee, and stakeholder data.
- Gain an understanding of what regulations and statutes the organization is obligated to follow.
For each contract, ask the following questions:
- Who are the parties involved in the contract?
- What are the terms of the contract?
- What information is being protected?
- What types of notification is required, and to whom?
- What do the regulations or statutes require?
Keep in mind that confidentiality breaches may not be the only terms of data protection and privacy you should look for. The “right to be forgotten” is increasingly common: personal data or intellectual property must be expunged without trace when certain milestones are met. Data availability, data integrity, even the timeliness of data are increasingly common requirements in contracts. Breaches of any stated condition of information or systems should be considered in this step.
Step 2: Interpretation Phase
Document what needs to be done as a result of the facts gathered in the data collection phase (change a policy, create a communication plan, etc.).
Obligations should be stated clearly. Based on contracts, regulations, and/or statutes, the obligations regarding the data that is in the custody of the organization should be clearly articulated. This applies to the organization and any third-party partners that store their data.
Once the obligations are understood, ask:
- What process does the organization need to follow in order to comply with contracts, regulations and statutes?
- Will a new process be required in order to comply?
- What exactly has to be done, and what has to be in place in case of a breach in order to comply?
- How will the organization verify that proper precautions have been taken?
Once this information is collected, a deliberate action plan should be implemented to update policies, procedures and most importantly, the incident response plan’s communications procedures.
Step 3: Implementation Phase
The organization is now ready to execute the plan created in the interpretation phase. This is the time to update or create incident response plans, communications plans, and policies. All of the items identified in Step 2 should be completed in Step 3.
The output of Step 3 should be:
- Updated policies and procedures. Ensure that the protection of data is in compliance with contract requirements, as well as regulatory and legislative requirements.
- Updated communication plan. A communication plan should contain the names and numbers of who to contact and the circumstance in which they need to be communicated.
- Updated contracts. Ensure contracts are specific, particularly if some of the information gathered through the incident response planning process is not already in the contract. Remember that this also applies to third-party contracts that stores an organization’s data.
Step 4: Review Phase
Finally, make sure that all items that were planned out as part of the interpretation phase (Step 2) have actually been executed in the implementation phase (Step 3):
- Did the policy get updated and approved?
- Did the communication plan get created?
- Did contractual agreement get updated?
- Did the incident response plan get updated?
This final step ensures that all of the items identified in the first three steps were actually implemented.
Knowing what your obligations are before a data breach strikes can directly affect the impact that the data breach has on your organization, with respect to time, money and human resources. Organizations that use this simple process will have a much better handle on a data breach than those that do not. Prepared organizations will know who to call, when to call, and what information to provide, leading to a much smoother incident response process. Being prepared can help resolve an incident in a much more efficient manner, when one strikes.