incident response as a team sport: emerging and best practices · 2019. 10. 14. · incident...

October 16, 2019

Incident Response as a Team Sport: Emerging and Best PracticesGerard StegmaierReed Smith LLP

Neva DePalmaRadarFirst

Samuel S. RubinThe Crypsis Group

Questions + Contact

Gerard StegmaierPartnerReed Smith LLP

Neva DePalmaGeneral Counsel, VP of Customer SuccessRadarFirst

Samuel S. RubinVice PresidentThe Crypsis Group

Incident Response as a Team Sport

• Purpose of SessionA discussion on emerging trends at the intersections of law, forensics and tech-enabled response process

• Agenda:

What does the data say? A look at the current industry benchmarks on privacy incident response

Cross-team collaboration discussion questions

Q&A

Benchmarking Data for Incident ResponseIndustry Standards

About the Data:● Date range for following data:

2017, 2018 and Jan-Jul of 2019● All data has been anonymized● Primary industries represented

include financial services, healthcare, and insurance

Incident Response as a Team Sport

Key DefinitionsIncident: Unauthorized disclosure of personal information where multi-factor risk assessment is performed to decide whether it is a breach

External Incident: An incident caused by a 3rd party processor or service provider

Breach: An incident that requires notification to impacted individuals

Occurrence Date: Date the incident took place

Discovery Date: Date the entity became aware of the incident

Notify Date: Date of first notification to regulators or individuals

Incident Response as a Team Sport

How Many Incidents are Notifiable?

Appropriate risk mitigation is crucial.

With compliant multi-factor risk assessment you can avoid over-reporting.

Incident Response as a Team Sport

How Many Incidents are Notifiable- Industry Breakout (2019)

Incident Response as a Team Sport

Incident Category: Electronic, Paper, or Verbal/Visual

Incident Response as a Team Sport

Disposition of Incident: Malicious, Inadvertent, Intentional?

Unintentional / Inadvertent

Intentional / not malicious

Intentional / malicious

2018 96% 2.9% 1.1%

2019 96% 3% 1%

The majority of incidents are unintentional or inadvertent

Regardless, there is a legal obligation to justify the decision, as well as document and demonstrate consistent risk assessment

Incident Response as a Team Sport

Incident Source: Internal vs. External

Incident Response as a Team Sport

Number of Individual Records Exposed per Incident

In 2019, 89.4% of incidents exposed only one individual record

Over the course of a year, RadarFirst customers on

average assessed incidents impacting individuals

across 21 states.

Incident Response as a Team Sport

Average Incident Response Lifecycle

2019 BakerHostetler Report:Occurrence to discovery = 66 daysDiscovery to notify = 56 days

IR Team Discussion PointsChallenges and Opportunities for Collaboration

Incident Response as a Team Sport

How do your privacy, legal, and security teams work together? Or do they…?

Incident Response as a Team Sport

What are key challenges in working cross-functionally?

Incident Response as a Team Sport

How are you being proactive in addressing privacy concerns in your organization?

Incident Response as a Team Sport

What is your yardstick for success?

Incident Response as a Team Sport

Looking forward, what are your key initiatives to be “better together?

Q&A