The Basics of Data Privacy
Whether you're just getting started or are an experienced professional, this guide provides an easy-to-understand overview of the fundamentals of data privacy regulation and compliance.
Although businesses today go to great lengths to protect the sensitive information of their customers, employees and partners, data breaches are surprisingly common. In fact, most experts suggest that organizations should have response plans in place, as it is more a question of when you will be breached, not if. Data breaches not all the same. The share of breaches caused by malicious attacks has steadily increased over time. Breaches also occur by accident or due to poor business practices—perhaps by transmitting sensitive records through an unsecured system, weak internal processes, or the physical loss of a laptop holding confidential business material. Organizations should act to minimize the likelihood and impact of such mishaps with strong, proactive cybersecurity processes and technology.
Why is Cyber Incident & Data Breach Response Management Important?
Cyber incident and data breach response is critical for a number of reasons. The impacts of data breaches affect not only the data subjects involved, but also the organization itself, other partners and vendors it works with, and potentially other organizations in its jurisdiction or industry. IBM's 2023 Cost of a Data Breach Report found that the average breach cost $4.45 million dollars--and the longer a data breach went undetected, the more expensive it became. These costs include a variety of things, including lost business, the costs of responding to and notifying victims of the breach, and detection, investigation, and auditing of the breach.
Regulators expect organizations to maintain logs of their incidents and demonstrate due diligence and the capability to address risks before a breach occurs. They also expect organizations to respond to incidents and breaches efficiently and quickly in multiple jurisdictions. This expectation means a different approach to incident and breach management and response is needed, and signals to the market that it is no longer acceptable to deal with such events as a “one-off.” The California Privacy Protection Agency's recently proposed regulations require organizations to take a more proactive approach to cybersecurity, rather than just responding when there is a breach.
Today’s breach landscape is highly complex. Every security incident is multi-jurisdictional. Even within the EU, where the regulations are the same, the regulators are not, and breach responses include tight timelines for reporting to regulators. Security incidents are something that happens, but a data breach is a matter of law, and data breaches must be reported to regulators and to affected parties within strict timeframes. Coordinating all the activity involved in identifying the affected data, determining whether it meets the criteria for a breach, and creating the reporting in the appropriate jurisdictions is a complex process that must be automated and synchronized.
Video Series: How a Small Data Breach Can Lead to Big Compliance Risks, view now.
Cyber Breach Severity Has Increased, But Breach Responses Aren’t Fully Coordinated
Data breach response is an area of privacy that tends to get a lot of attention from corporate management, consumers and regulators due to its often very public nature. Over the last five years, serious data breaches have occurred with increasing frequency. The publicity surrounding the infamous Sony, Equifax and Capital One breaches compounded by the actions of privacy advocates, have shown that regulators and the public are holding organizations to a higher standard.
What is surprising, given the frequency and impact of corporate incidents and breaches, is that organizations have not yet achieved a level of maturity in their response enabling them to present a documented, repeatable and defensible approach that demonstrates due diligence to stakeholders. Instead, most organizations are attempting to implement response and mitigation with portfolios of disjointed tools, manual processes, and ad-hoc approaches.
Because of this approach, organizations are slow at identifying incidents that meet the threshold as breaches. Poor and incorrect communication across all levels of the organization, and teams constantly reinventing the wheel, put the organization at risk of liability and possibly litigation.
Incidents can no longer be managed as a one-off because they can be the signal of many issues that could turn into a much bigger problem
Organizations face several additional challenges when law enforcement and other bodies are involved, which may impact their ability to meet the notification timelines. This is due to the nature of the investigations and stakeholders involved. Additional consideration needs to be given to the ‘no notice’ scenario. In order to make a defensible decision not to give notice, enough information must be collected and documented in order to allow for that decision to be justified. This is an explicit obligation under some laws (such as Canada’s mandatory breach reporting framework) but is implied under any breach regime.
Additional complications arise from contractual obligations that may have stricter timelines and definitions than found in legislation. In many business-to-business contexts, the client organization (“data controller” in EU parlance) has the obligation to provide notice, within a limited period of time, and must rely on their service provider (“data processor”) to be notified of events. Careful consideration must be given to the imputed knowledge of the client in this context. The EU regards its 72-hour period for notification to a regulator as a starting point when a data processor becomes aware of the event. Therefore, clients’ contracts typically demand 24 or 48 hours notice (if not immediate) of an event in order to meet their own obligations.
Learn Some Do's and Don'ts for Data Breach Response, read now.
Regulatory Fines Have Increased & Are Receiving Board Attention
Fines for data breaches have increased in the past few years. More and more regulations stipulate fines as a proportion of the organizations’ revenue, which can vastly increase the potential repercussions for large multi-national organizations subject to a wide range of privacy regulatory regimes.
In addition to the privacy regulators, there are other forces at play, such as cybersecurity and competition law regulatory regimes which can also impose fines for the same breach. Yet executives tend to focus on the risk of fines rather than other costs associated with breaches, such as long term reputational or business losses because a breach reveals the organization’s inability to manage data and cybersecurity risks.
When it comes to data breaches, organizations face the compounded pressures of warding off legal action, demonstrating due diligence internally, and complying with multiple breach notification laws. The only approach that puts businesses in a winning position is to get the entire breach management and response process planned, organized, and documented in advance, to execute it diligently, and then to continuously improve it.
A well-defined, repeatable process with set steps assigned to the appropriate stakeholders empowers the organization to meet the specific pressures and timelines of a breach response. The obvious benefits to implement such an approach is consistency and to reliably demonstrate that the organization was prepared. Accurate execution shows that training and resources were properly allocated as part of a plan and were not an afterthought
Put a Defensible Breach Response Process in Place, read now.
Automation & Breach Response Orchestration Are Key
Given the tight deadlines that often accompany breach notification laws, in-house legal teams facing an incident must act quickly to understand the scope of the breach, how it occurred, what information was affected, and the stewards of the affected data. With all of the activity involved, it is again incumbent upon Legal to coordinate the response process if privilege is to be established and maintained (more on that later). Properly orchestrating and communicating the notification process will be key helping to establish defensibility during breaches and other cyber incidents.
Depending on the nature of the breach, a company may have to notify regulators or customers whose data has been breached, and report and retain records of their investigation of the breach for specific timeframes. The exact requirements depend on the jurisdictions in which the violations occurred and statutes that govern the breached data. The decision to report on incidents is often a combination of objective and subjective considerations—including in determining the true severity of the incident. Given the range of potential outcomes, it’s important to build a notification process that courts regard as reasonable and defensible.
Like any other effective program at your organization, the keys to successful breach response includes people, processes, and technology—and there’s a lot of savings for companies that invest in their incident and breach response teams, workflows, and platforms. While the notification process tends to be the lowest-cost aspect of a data breach for organizations, expenses still average about $370,000, according to IBM’s 2023 Cost of a Data Breach report, and the overall costs of a data breach average almost $1.5 million lower for organizations with high levels of incident response planning and testing.
A basic outline of a breach response might look something like this, but with depth that may stretch into several potentially-conflicting statutes:
- Validation of the data breach
- Identifying remediation requirements, including compliance with breach notification regulations in differing jurisdictions—which could include multiple dozens of reporting and notification requirements, timelines, definitions of personally identifiable information, and other conditions
- An investigation into the breach, with documentation
- Internal communication and coordination with appropriate authorities and outside counsel, as needed
- Notifying the data subjects of the breach, when required
Organizations are expected to manage multiple legal, regulatory and compliance obligations and be able to demonstrate how they responded to an event that may affect potentially a large number of individuals in more than one jurisdiction. With a strong regulatory network, actions taken by an organization in one jurisdiction and the ability to demonstrate that those were appropriate, can set a good or bad precedent for the aftermath of a breach.
Learn about CISA's Cyber-Incident Response Playbook, read now.
Cyber Breach Response Project Management:
Treating cyber breach response as a project and managing it proactively according to a plan can help organizations detect breaches faster, remediate them more quickly, and report on them to authorities and data subjects, saving them significant monetary, business, and reputational costs. Here are some key mileposts you should hit when responding to any data breach or significant cybersecurity incident.
- Create a central project tracking mechanism early on, and the appropriate awareness with employees to report any event that contravenes your policies.
- Allow the IT and cybersecurity teams to conduct their own investigation and follow their process to maintain chain of evidence custody and not interfere with forensics.
- Appoint a Project Manager (PM) and give them the mandate to take charge and verify whether an event is an incident or a breach as not all incidents will become breaches and be subject to extensive breach reporting and notification laws.
- Record events part of a log because many regulatory authorities expect it. The added advantage is that a log can inform senior management as to root causes and these can be early indicators into some misunderstood practices which can be corrected.
- Guide employees through the process because employees will not know what incidents and breaches are, but they will likely know what they must do at the right time, if they are engaged and feel part of the process.
- Verify that the employees involved in the incident response process record the steps they took to answer to the obligations, to understand, investigate and ultimately repair the cause of the breach. Such a track record is invaluable in the eyes of an auditor or regulator.
Strengthen the Defensibility of Your Cyber Incident & Breach Response Management:
A truly defensible cyberincident and breach response process, whether developed in-house or in partnership with legal advisors and technology partners, must be built on a deep understanding of the organization's data landscape and the various regulatory requirements that apply to it. Below you can find some key steps you can take to get started.
- Document the legislative requirements that apply to your organizations, including those of the increasing number of states that have comprehensive privacy laws
- Document the timeframes within which respective parties are required to be given notice in the event of a data breach or cyberincident.
- Create an accurate, up-to-date data inventory and implement technology or processes to ensure that it is maintained and updated on a regular basis.
- Document the facts of the data breach or cyberincident in the light of all the applicable legal obligations (consider law enforcement, works councils, etc.).
- Document the process by which the analysis of the event has led to conclusions of notice (or no notice) required for both regulators and data subjects.
- Retain evidence that notice has been given, with the requisite information and in the form required by regulators.
- Record and manage the interactions with the parties who have been given notice.
Understand Recent State Privacy Laws, download now.
Practical Ways to Establish & Maintain Privilege After a Cyber Event
Though cybersecurity case law is still a bit fuzzy, establishing a reasonable, repeated process for handling a breach can help during litigation. Repeatable processes showcase that the business has a plan for incidents such as these, while ad hoc processes tend to be less effective in showcasing defensibility. The Sedona Conference has outlined the following steps that should be taken to protect communications and documents that have been created as a result of a data security incident, thus helping in-house counsel to preserve privilege:
- Proactively involve outside counsel in pre-incident activities that involve cybersecurity or other IT assessments being developed at the direction of the law firm, to help prioritize security controls based on legal and regulatory risks.
- Ensure that documents created by the business’s employees are done so at the direction of outside counsel solely for the purpose of assisting in how they advise the business.
- Get specific IT vendors and forensics investigators on a retainer for the sole purpose of assisting outside counsel in advising the business of their legal obligations, rather than as a substitute for the business’s IT employees.
- Don’t disclose assessments, analyses, or forensics reports to other third parties, either purposely or accidentally. Use secure communications portals.
- Understand that documents may still be disclosed if privilege is waived or if the opposing party is able to prove that they need the information.
How Can Law Firms Help Organizations Respond to Data Breaches? Download now.
Managing incidents and data breaches is a key responsibility of the privacy compliance team. The regulations about breach determination and response are stringent, and require a well-orchestrated, multijurisdictional response. Organizations that have automated incident and breach management that coordinates their legal, compliance, privacy and investigation teams are able to meet their deadlines, get better results, and avoid costly repercussions
Are you ready to experience the industry's leading incident and breach response software? Get a free demo today.