PRIVACY INSIGHT SERIES

Summer / Fall 2018 Webinar Program

Data Breach Management –

Requirements and Best Practices
19 September 2018

© 2018 TrustArc Inc Proprietary and Confidential Information

Today’s Speakers

Travis Cannon
Director of Partnerships
RADAR

Deborah Cook Wells

Senior Privacy Consultant
TrustArc

2 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

Today’s Agenda

• Welcome & Introductions

• Regulatory Overview
• Creating an Effective Breach Management
Program
• Benchmarking
• Creating the Right Culture
• Recommendations – Next Steps
• Questions

3 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

PRIVACY INSIGHT SERIES
Summer / Fall 2018 Webinar Program

Thanks for your interest in our webinar slides!

Click here to watch the on-demand recording.

4 © 2018 TrustArc Inc Proprietary and Confidential Information

PRIVACY INSIGHT SERIES
Summer / Fall 2018 Webinar Program

Regulatory Overview

5 © 2018 TrustArc Inc Proprietary and Confidential Information

Poll

6 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

Growing breach regulations in U.S. & around
the globe
Regulatory complexity continues for privacy
professionals in the United States and across
the globe:

• 2018: New or amended breach notification

legislation has gone into effect in 9 states
year-to-date with 2 additional bills going
into effect by the end of the year.
• Trends
• Expanded scope of personal information
• Required notification to the state AG
• Specific timeline (30 - 45 days) for
notifications

• Consumers are more aware of their privacy

rights:

• Consumer complaints in the EU rose by

14.5%
• ICO received 46K more calls than the
previous year – a 24.1% increase.
• Number of live chats rose by 61.5%

7 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

PRIVACY INSIGHT SERIES
Summer / Fall 2018 Webinar Program

A Successful Data Breach

Management Program

8 © 2018 TrustArc Inc Proprietary and Confidential Information

Poll

9 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

 Lifecycle of an event
Privacy Team
Privacy Team and SME Privacy Team
Privacy Team Reporting
Someone Privacy Team perform Risk determines if
does/sees
performs determines Notification
Receives the
Initial Event is an and Breach and
something Event performed
Review Incident Regulatory (notification remediation
needed)
Assessment

• An Event is reported by employees or vendors when something

looks suspicious
• After Initial Review by the Privacy Team, the Event is determined to:
• Become an Incident (possible breach, needing more review)
• Stay an Event (kept in reporting, no further work required)
• If determined an Incident, SMEs are included in Risk and Regulatory
Assessment
• A Breach is a compromise to the integrity of systems or unauthorized
access or disclosure of personal data, which requires notification to
regulators or consumers
• If a Breach, notification takes place
• Management Reporting executed, Remediation plans built and
executed
10 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc
Building an efficient & effective incident
response program

Hallmarks of the people/human element of your

incident response program
• A trained, observant workforce
• Strong vendor management oversight
• Dedicated Privacy Team
• Close ties with IT (DPIA and PIA, DLP etc)
• Selected SMEs in each business process

11 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

Building an efficient & effective incident
response program

Operationalizing your incident

response program in 5 steps:

1. Streamlined incident
escalation to privacy team
2. Multi-factor incident risk
assessment
3. Notification content & timeline
4. Real-time reports and trend
analysis
5. Staying current with changing
regulations

12 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

Hallmarks of a Successful
Breach Investigation
• Event researched to quickly determine:
– Data elements involved
– Systems involved
– Consumers involved
– Risk of harm determined
– Regulatory requirements identified
• Escalation properly performed
– SMEs involved
– Correct level of management involved
• Timely notification provided
– Clear, concise, and in required format
• Documents captured and stored
• Accurate reporting and useful remediation performed
13 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc
PRIVACY INSIGHT SERIES
Summer / Fall 2018 Webinar Program

Benchmarking Insights

14 © 2018 TrustArc Inc Proprietary and Confidential Information

Poll

15 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

Incident benchmarking data

18.4% of privacy events in 2017 rose to

the level of a breach (13.86% in the first half of
2018)

• However, every incident matters.

• Even though only one in 10 incidents is actually a notifiable breach, it is still
critical to assess every incident.
• By documenting and assessing every incident, every time, your organization
will have complete documentation of each incident, as well as a record of
every aspect of your decision as you conduct incident assessments, even for
incidents that clearly fall outside of regulatory requirements.

16 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

Dashboards

• Accurate reporting usually includes:

– Activity Numbers
• Events reported
– By which Business Process Team
• Incidents researched
– By type (whatever is applicable to your industry, company)
• Breaches
• Notifications
– By type (Regulator, Consumer)

– Timeliness Numbers
– Updates on remediation efforts
– Progress against KPIs, KRIs, LRIs
– Actionable information is best

17 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

PRIVACY INSIGHT SERIES
Summer / Fall 2018 Webinar Program

Creating the Right Culture

18 © 2018 TrustArc Inc Proprietary and Confidential Information

Poll

19 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

Hallmarks of a Good Data Incident Culture
• There is an increasing number of Events reported
to the Privacy Team
• There is a slowly decreasing number of ‘bad’
Events reported to the Privacy Team
• SMEs are willing to participate in Risk and
Regulatory Assessments, and use the knowledge
they gain to make changes to processes and
procedures
• Notifications are made timely
• Senior Management is comfortable with
escalations and reporting

20 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

PRIVACY INSIGHT SERIES
Summer / Fall 2018 Webinar Program

Recommendations – next steps

21 © 2018 TrustArc Inc Proprietary and Confidential Information

Things to think about –
The Basics
• Do you have Policy in place to
address Privacy Breaches?
• Has your workforce been trained?
• Do you have a project plan,
templates, escalation plans in
place?
• Have you run a simulated data
breach?
• Does your senior management
know Data Breach is part of your
total Privacy Program?

Graphic Source: IAPP: SecureIntel

22 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

Simulated breach and lessons learned
• Andrea Jelinek, Chair of the EDPB (formerly Art 29 WP)
suggests one of her biggest recommendations around
breach is to prepare internally by doing a simulation
exercise
– Mock table tops i.e. planting a fake breach and either letting the
teams know (or not) to see how they respond
– Most likely cause of breach is human error. Make sure your
workforce is your biggest asset, not your greatest risk
• A second recommendation is to prepare internally by
regularly performing a lessons learned exercise.
– Review your larger or more troublesome incidents
• Look at root causes, systems impacted, data involved,
consumers
• Review timeliness of initial notification, responses, escalation
path, feedback from consumers, remediation

23 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc

PRIVACY INSIGHT SERIES
Summer / Fall 2018 Webinar Program

Thanks for your interest in our webinar slides!

Click here to watch the on-demand recording.

24 © 2018 TrustArc Inc Proprietary and Confidential Information

PRIVACY INSIGHT SERIES
Summer / Fall 2018 Webinar Program

Questions?

25 © 2018 TrustArc Inc Proprietary and Confidential Information

PRIVACY INSIGHT SERIES
Summer / Fall 2018 Webinar Program

Contacts
Travis Cannon travis@radarfirst.com
Deborah Cook Wells dwells@trustarc.com

26 © 2018 TrustArc Inc Proprietary and Confidential Information

PRIVACY INSIGHT SERIES
Summer / Fall 2018 Webinar Program

Thank You!
Register now for the next webinar in our 2018 Summer / Fall
Webinar Series “ePrivacy Regulation - What to Expect and How to
Prepare” and is due to take place on October 24, 2018.

See http://www.trustarc.com/insightseries for the 2018

Privacy Insight Series and past webinar recordings.

27 © 2018 TrustArc Inc Proprietary and Confidential Information