October 16, 2019 Incident Response as a Team Sport: Emerging and Best Practices Gerard Stegmaier Reed Smith LLP Neva DePalma RadarFirst Samuel S. Rubin The Crypsis Group
Questions + Contact Gerard Stegmaier Neva DePalma Samuel S. Rubin Partner General Counsel, VP of Vice President Reed Smith LLP Customer Success The Crypsis Group RadarFirst
Incident Response as a Team Sport • Purpose of Session A discussion on emerging trends at the intersections of law, forensics and tech-enabled response process • Agenda: What does the data say? A look at the current industry benchmarks on privacy incident response Cross-team collaboration discussion questions Q&A
About the Data: Benchmarking Data for ● Date range for following data: 2017, 2018 and Jan-Jul of 2019 Incident Response ● All data has been anonymized ● Primary industries represented include financial services, Industry Standards healthcare, and insurance
Incident Response as a Team Sport Key Definitions Incident: Unauthorized disclosure of personal information where multi-factor risk assessment is performed to decide whether it is a breach External Incident: An incident caused by a 3rd party processor or service provider Breach: An incident that requires notification to impacted individuals Occurrence Date: Date the incident took place Discovery Date: Date the entity became aware of the incident Notify Date: Date of first notification to regulators or individuals
Incident Response as a Team Sport How Many Incidents are Notifiable? Appropriate risk mitigation is crucial. With compliant multi-factor risk assessment you can avoid over- reporting.
Incident Response as a Team Sport How Many Incidents are Notifiable- Industry Breakout (2019)
Incident Response as a Team Sport Incident Category: Electronic, Paper, or Verbal/Visual
Incident Response as a Team Sport Disposition of Incident: Malicious, Inadvertent, Intentional? Unintentional Intentional / Intentional / / Inadvertent not malicious malicious 96% 2.9% 1.1% 2018 2018 96% 3% 1% 2019 2019 The majority of incidents are unintentional or inadvertent Regardless, there is a legal obligation to justify the decision, as well as document and demonstrate consistent risk assessment
Incident Response as a Team Sport Incident Source: Internal vs. External
Incident Response as a Team Sport Number of Individual Records Exposed per Incident In 2019, 89.4% of incidents exposed only one individual record Over the course of a year, RadarFirst customers on average assessed incidents impacting individuals across 21 states.
Incident Response as a Team Sport Average Incident Response Lifecycle 2019 BakerHostetler Report: Occurrence to discovery = 66 days Discovery to notify = 56 days
IR Team Discussion Points Challenges and Opportunities for Collaboration
Incident Response as a Team Sport How do your privacy, legal, and security teams work together? Or do they…?
Incident Response as a Team Sport What are key challenges in working cross-functionally?
Incident Response as a Team Sport How are you being proactive in addressing privacy concerns in your organization?
Incident Response as a Team Sport What is your yardstick for success?
Incident Response as a Team Sport Looking forward, what are your key initiatives to be “better together?
Q&A
Recommend
More recommend
