Loader
Mitratech - Connecting People, Knowledge, Process Connecting People, Knowledge, Process
Home » Solutions » TeamConnect GRC » Incident Response & Privacy Breach Solutions:

Incident Response & Privacy Breach

The ability to respond to privacy breaches and other information security incidents rapidly and with informed decisions means the difference between an isolated incident and a disaster. TeamConnect GRC empowers you to make informed decisions at the information security, operational, and legal levels.

A central workplace for effective responses to privacy breaches and other information security incidents

Incident Response (IR) refers to the process of identifying, mitigating and remediating information security incidents such as network intrusions, loss of laptops and other mobile devices and loss of media, such as backup tapes and hard copy documents. Traditionally, IR had been confined to the IT department, with relatively little interaction from other departments unless the scope of the incident was so large that it required review by the legal department or investigation by internal audit. In the case of network intrusions, the emphasis by IT was to get the intruder out and the system secured, then to get affected networks and systems back up and running—relatively little emphasis was placed on gathering and preserving evidence of the event for use in legal proceedings. In April of 2002, a network run by the State of California containing, among other data, personally identifiable information (PII) about members of the state legislature, suffered an intrusion. Concerns about identify theft quickly escalated, and as a consequence, legislation was quickly passed requiring owners or controllers of data containing PII to notify affected parties as soon as practicable if a breach is reasonably believed to have taken place. Thus, the nation’s first database breach notification (DBN) law came into effect, creating additional duties for information security officers and the IR team.

Breach notification development

Since passage of the California statute (usually referred to as SB1386), at least 46 states have passed their own version of a DBN statute amid regular efforts by the U.S. Congress to pass a federal one. The federal statute governing information security for government IT, the Federal Information Security Management Act (FISMA), requires notification of privacy breaches to potentially affected parties when the PII implicated is hosted by a system controlled by a federal agency or a government contractor. In the healthcare sector, amendments to the Security and Privacy rules of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in 2009 require healthcare providers and covered entities to notify patients when the confidentiality of their PII has been implicated. As a consequence, entities with a nationwide presence, such as a pharmacy chain, are often required to satisfy multiple sets of DBN-related regulations. As of this writing, only the United States and Japan have such statutes, while Canada is considering enactment of its own.

New compliance obligations

The passage of DBN statutes has resulted in two new sets of tasks related to IR: (1) breach response, or the tasks required of the entity in question to remedy the breach by the applicable statutes and regulations; and (2) legal response, or the tasks required by inside and outside counsel to address the legal implications of the breach. Both responses serve to minimize the actual and potential damage to the entity as well as build a compelling claim to the entity’s insurance carrier. 
Breach response. Given its compliance orientation, in most instances breach response will be addressed by the Chief Compliance Officer (CCO) of the organization that has experienced the breach. Breach response tasks vary with the applicable statutes and regulations, but tend to address the same issues: (1) the protected class of persons, usually residents of the given jurisdiction; (2) who is responsible for notifying the affected parties; (3) how fast the affected parties must be notified; (4) how notification must take place; (5) other entities that must be notified, such as consumer protection agencies or the state Attorney General’s office; and (6) so-called “safe harbor” rules that, in theory, eliminate the need to notify affected parties, such as if the PII in question has been encrypted. Each of these tasks creates a separate process that must be managed by members of the IR team, legal department, business managers, the media and public relations department, and potentially others.
Legal response. Legal response tasks involve addressing potential legal liability and regulatory scrutiny and are led by the General Counsel’s office. Such tasks include determining, with the input from other team members, whether: (1) the information accessed was truly PII; (2) the safe harbor rules relating to encryption of the data are applicable; (3) there was a duty to protect the affected parties; (4) other parties, such as vendors or business partners, might be potentially liable; and (5) information security measures met the standard of care. Other tasks include determining the dollar value of the damages to the entity and, in the case of public companies, whether the breach represents a material weakness in internal controls that requires the submission of an interim report to the Securities and Exchange Commission (SEC). Whenever an incident takes place that makes the expectation of litigation or regulatory agency action reasonable, corporate counsel must take steps to preserve evidence of the incident and relevant collateral information, both of which are typically in electronic form.   Examples of evidence include: User Access Control logs; log files from the network and host devices, such as firewalls and Intrusion Detection Systems (IDS); and forensic images of hard drives. Collateral documents and communications stored on the network that may have relevance to the breach, such as policies, need to be preserved, and as a consequence, a legal hold may be issued by the General Counsel’s office. That hold necessitates that electronically stored information (ESI) be protected from alteration and requires: (1) communication with parties throughout the enterprise that may have access to such ESI and a means to enforce their compliance; and (2) technical means to prevent changes to that ESI. Forensic experts that may be required to testify in court need a means to input their impressions and notes in a central place for later recall. All of the forgoing, however, rests on the integrity of the process used to collect and manage evidence of the breach itself and collateral documents and communications that describe the circumstances surrounding the breach.
All of the responses cited above—incident response, breach response and legal response—have a common set of requirements. There must be a means to:
  • Track the matter from the time incident occurred to the time when the statute of limitations for legal action relating to the breach has expired;
  • Generate reports that summarize pending responses by type, regulation, geography, responsible party or other desired criteria;
  •  Determine what actions particular members of the various response teams took and when they took them;
  •  Allow parties from other departments and business units to access the matter and add pertinent data and analysis;
  •  Allow outside counsel, outside experts and service providers to access the matter and add pertinent data and analysis; 
  •  Allow electronic submission of invoices by outside counsel in a way that prevents duplicative billing or billing for items that are contrary to the retainer agreement;
  •  Issue, maintain and modify legal holds;
  •  Track handling of ESI preserved as part of a particular legal hold; and
  •  Track the Service of Process for notices related to pending litigation and regulatory review.
In addition, the system that supports these functions needs to allow each team member access to only the parts of the matter that are necessary for them to perform their function and integrate with existing access control methodologies, such as Single Sign-On (SSO). 
All of these functional requirements need to be united by a common principle that enables the entity to carry out its many response duties consistently and in a way that protects the integrity of the processes.

Respond with confidence

By utilizing Collaborative Accountability, organizations that suffer privacy breaches are empowered to demonstrate that they addressed the breach in a way that minimized potential harm to the affected individuals while maximizing their ability to fulfill the list of response requirements in a timely manner. Team leaders from IT security, corporate compliance and legal all can operate from a single point of control. By preventing documentary evidence from being accidentally destroyed and preserving evidence from the incident in a forensically sound manner, the organization not only fulfills its discovery obligations but strengthens its defense posture should the matter ultimately be scrutinized by a regulatory body or go to trial. Giving all team members ready access while limiting that access to only those that require it allows the team to move swiftly while preventing data from being altered accidentally. Finally, in the event that errors are made by team members during a particular response process, the ability to forensically deconstruct those errors can demonstrate that, overall, the response was reasonable in light of the circumstances and the errors did not have a material effect on the outcome.

Protect and serve

Privacy breach-related compliance obligations are extensive, varied, and growing. Direct and indirect regulation of privacy breaches at the federal level has created a substantial compliance burden for organizations. State DBN statutes and regulations have created an equivalent burden, and even if federal legislation eventually pre-empts them, organizations still face the prospect of foreign governments enacting their own. There are also many regulations that mandate privacy protection without citing specific breach provisions but imply the necessity of notifying affected parties or run the risk of litigation and regulatory action. Private regulatory bodies such as payment card associations have their own privacy regulations and can terminate a merchant’s ability to process payment card transactions if that merchant goes out of compliance. Protecting consumer privacy and remediating privacy breaches, then, is a compliance process that necessitates involvement by nearly every part of an organization, including IT security, legal, compliance, records management, media and public relations and outside counsel and experts. Collaborative Accountability is the principle that unites the extended enterprise or “extraprise” in its efforts to both proactively manage consumer privacy and responsibly address privacy breaches in a way that minimizes the potential damage to the company’s brand and stock price as well as aggregate corporate liability.