- Damages from cybercrime are expected to hit $6 trillion in 2021
- The challenges & opportunities of the incident management lifecycle
- Actionable data redaction insights to reduce incident notification
Read more below.
How leveraging data protection tactics reduces risk and data breach notification obligations
At the annual IAPP PSR conference, Mahmood Sher-Jan, Founder & Strategic Advisor RadarFirst and Kelly Matoney, Executive Director of Privacy Vista Consulting Group, shared their collective insights as to how basic data redaction can protect organizations from unnecessary data breach notifications amid complex jurisdictional obligations and nuanced state laws.
The Growing Cost of Data Privacy & Security Incidents
This year, the CISCO Privacy Benchmark Study, found that Privacy is ascending the ranks for budget and priority across industries. Two key drivers of this shift are the need to mitigate increasing data risks and the urgency to reduce the cost and impact of incidents.
The study found that 90% of organizations now report privacy metrics to their C-suite and Boards, 93% of organizations turned to their privacy teams to help navigate pandemic challenges, and data privacy budgets for large and small organizations has doubled from 2019 to an impressive $2.4 million on average.
On the flip side of the spending coin, damages from cybercrime are expected to hit $6 trillion in 2021 (up from $3 trillion in 2015). Those damage costs include:
- Damage and destruction of data
- Stolen money
- Lost productivity
- Theft of intellectual property
- Theft of personal and financial data
- Embezzlement
- Fraud
- Post-attack disruption to the normal course of business
- Forensic investigation
- Restoration and deletion of hacked data and systems
- Reputational harm
Data Redaction for Reducing Risk & Notification Obligations
Investment in Privacy is a great start to building a risk-adverse organization but it’s only the first step in a long road of data protection practices. To avoid costly damages, privacy leaders need to exercise delicacy in data hygiene to account for diverse and nuanced state and international data protection laws.
At last count, 41 state laws support a redaction exception. However, redaction is not a singularly defined exemption, typically, there are two flavors of redaction found in US state general breach notification laws:
- Not prescriptive – not defined, redaction is typically mentioned in the definition of personal information.
- Maryland: Personal information means an individual’s first name or first initial and last name in combination with any one or more of the following data elements when the name or the data elements are not encrypted, redacted, or otherwise protected by another method that renders the information unreadable or unusable.
- Prescriptive – defined, typically includes specific requirements around number truncation.
- Kansas: Redact means alteration or truncation of data such that no more than the following are accessible as part of the personal information:
- Five digits of a Social Security number, or
- The last four digits of a driver’s license number, state identification card number, or account number.
- Kansas: Redact means alteration or truncation of data such that no more than the following are accessible as part of the personal information:
Incident Management Lifecycle: Challenges & Opportunities
As state regulations continue to pass and new and nuanced redaction exceptions become applicable within the U.S. and international data breach landscape, Privacy leaders are in a race against the clock to identify and assess new exemption opportunities – and how efficiency and risk mitigation practices can fit into their operational agenda.
At RadarFirst, we define incident response process in six stages.
- Create & triage (detection)
- Investigate & profile
- Assess (analysis)
- Decide
- Notify (notification)
- Close
“Overlapping incidents needing to be assessed is stretching resources – tacked on top of a longer timeline to occurrence to notify.” –Kelly Matoney
To best reduce time and resources spent on privacy incident management, effective risk assessment must be: consistent, objective, timely, and defensible. The repeatability of the process ensures compliance in a complex and changing regulatory landscape.
The above timeline depicts data from the 2021 Baker Hostetler data security incident response report, which found the average amount of time it took an organization to process an incident to the point of a notification was 78 days.
Compared to organizations who leverage Radar Intelligent Incident Management, this process can be reduced by 51 days.
“There are people costs, operational costs, and everything get magnified with a lengthy timeline. Keeping timelines short is imperative.” –Mahmood Sher-Jan
Incident Risk Mitigation Through Multifactor Assessment
Beyond gained efficiency from Radar Intelligent Incident Management, Sher-Jan discussed the value of conducting multi-factor risk assessment within privacy incident response, and how organizations who notify based on the presumption of breach may be tarnishing valuable brand reputation without the assistance of an automated risk assessment.
Radar metadata shows us that the average amount of notifiable incidents can be reduced over 93% when organizations leverage Radar to automate risk assessment.
With a demonstrable record of increasing incident volume and risk, Sher-Jan and Matoney reflected that Privacy best practices can become a driver for efficiency and risk mitigation and shared tactics for operationalizing your privacy program.
Actionable Data Redaction Insights
- Focused training programs & awareness campaigns
- Look for trends to discover areas where additional controls or process changes could reduce risk
- Uncover policy violations that have occurred
- Pinpoint policies that need to be created or revised
- Identify business units where additional resources are needed
- Develop a task force and/or accountability within the business units
- Consider whether automation or outsourcing will reduce cost and/or risk
- Review and amend contracts with vendors
Tips for Getting Started
“Use the metrics, measurement, and language that boards really understand.” –Mahmood Sher-Jan
- Think about format and consider the audience
- Think about the story the data tells
- Pull out insights and conclusions that can be drawn based on the data
- Consider determining “normal run ranges” to identify when process anomalies may have occurred
- Maintain real-time metrics and dashboards (this will make it easier when needing to report to the Board and executive-level)
- Per month, per quarter, per year –look for seasonal trends and triggers
- Start small. Focus on a few metrics, get feedback, then expand
- Document actions that are taken as a result of the metrics to demonstrate business value/reduced risk over time
With a solid foundation of best practices, next, quantify maturity with key performance indicators that demonstrate audience impact, incident response metrics, and improvement over time:
(Source: Jay Cline, PwC, Privacy Incident Benchmarking and KPIs)